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(57) Abstract: A method for performing computations in a mathematical system which exhibits a positive lyapunov exponent, 
or exhibits chaotic behavior, comprises varying a parameter of the system. When employed in cryptography, such as, e.g., in a 
pseudo-random number generator of a stream-cipher algorithm, in a block-cipher system or a HASH/MAC system, unpredictability 
may be improved. In a similar system, a computational method comprises multiphying two numbers and manipulating at least one of 
the most significant bits of the number resulting from the multiplication to produce an output. A number derived from a division of 
two numbers may be used for deriving an output. In a system for generating a sequence of numbers, an array of counters is updated 
at each computational step, whereby a carry value is added to each counter. Fixed -point arithmetic may be employed. A method of 
determining an identification value and for concurrently encrypting and/or decrypting a set of data is disclosed. 
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METHODS FOR IMPROVING UNPREDICTABILITY OF OUTPUT OF PSEUDO-RANDOM NUMBER 
GENERATORS 

TECHNICAL FIELD 

5 

The present invention relates to aspects of improving unpredictability of pseudo-random 
numbers which originate from numerical computations In mathematical systems comprising 
at least one function, In particular a non-linear function. The mathematical system may be a 
non-linear system of differentia! equations which exhibits chaotic behavior. The Invention is 
10 useful in encryption and decryption In, e.g., electronic devices. 

BACKGROUND OF THE INVENTION 

Cryptography Is a generally used term covering science and technology concerned with 
15 transforming data, such transforming of data being performed with the aim of allowing for 
storing and transmitting of the data while preventing unauthorized access to the data. By 
means of cryptography, the data are made non-comprehensible for any other person but the 
intended recipient or recipients of the data. Accordingly, cryptography plays an increasingly 
more important role in the protection of intellectual property, including copyright protection, 
20 as the technological advancements require safe transmission and storage of huge amounts of 
data. 

In an encryption and decryption algorithm, the specific transformation of data is dependent 
on an input to the algorithm, a so-called key. In case the sender and the recipient of the data 
25 have an appropriate set of keys, the sender and the recipient are able to correctly encrypt 
and decrypt the data while any third person who may gain access to the encrypted data Is 
not able to view a properly decrypted version of the encrypted data, as she or he is not In 
possession of an appropriate key. 

30 Usually, a set of data to be encrypted is referred to as "plaintext" or ^original date", whereas 
the encrypted version of the set of data is referred to as "clphertext" or ^encrypted data". 

Two types of symmetric cryptographic algorithms are the so-called "block cipher" and the so- 
called "stream cipher". Both types of algorithms use symmetric keys, I.e. the keys used for 

35 encryption and decryption are equal or trivially related. A block cipher is a cryptographic 

algorithm which splits an original set of data into a plurality of blocks of a given size, e.g. 64 
bits per block. Mathematical and logical operations are performed on each block, whereby the 
original amount of data Is usually transformed into blocks of pseudo-random data. In case 
decryption is initiated with the correct decryption key, the original data can be re-called by 

40 reversing the mathematical and logical operations used for encryption. 

In a (synchronous) stream cipher, a pseudo-random number generator generates, based on 
a key, a sequence of pseudo-random numbers, the sequence being referred to as a 
keystream. The keystream Is mixed, by arithmetic and/or logical operations, with a plurality 
45 of sub-sets of the original set of data, the sum of sub-sets of data defining the original data 
to be encrypted. The result of the mixing Is the encrypted data. The set of encrypted data 
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may be decrypted by repeating the procedure in such a way that the pseudo-random 
sequence is extracted from the encrypted data, so as to arrive at the original, decrypted 
data. 

5 The plaintext is often mixed with the keystream by use of a logical operator, most often by 
the so-called XOR operator, aiso referred to as the "exclusive or" operator, which is 
symbolized by the e symbol. XOR generates a one-bit result from two one-bit arguments. All 

possible combinations are: 

0 e 0 = 0 

0©1=1 

1©0 = 1 

1 © 1 ='o 

10 Utilization of the XOR operator on a plaintext and a pseudo-random keystream yields a 

cfphertext. During decryption, an identical keystream Is generated, and the XOR operator is 
now utilized on the keystream and the ciphertext, resulting in the original plaintext. The 
identical keystream can only be generated by using the key on which the keystream for 
encryption was initially based. , 

15 

Further, so-called public key systems have been developed, such systems being 
characterized by a pair of asymmetric keys, i.e. a public key and a private key, the two keys 
being different. In such systems, the public key is usually used for encryption, and the 
private key is usually used for decryption. The private and the public key correspond to each 

i 

20 other in a certain manner. The key which Is used for encryption cannot be used for 

decryption, and wee versa. Thus, the public key may be published without violating safety ,in 
respect of accessibility of the original data. Accordingly, when transmitting encrypted data via 
a computer communications network, the recipient of the data first generates a set of keys, 
including a public and a private key. The public key, for example, is then provided to the 

25 sender of the data, whereas the private key fs stored at a secure location. The sender of the 
data utilizes the public key for encrypting the original data, and the encrypted data are then 
transferred to the recipient. When the recipient receives the encrypted data, the private key, 
which corresponds to the public key previously utilized for encrypt i on, is provide d to the 
decryption system which processes the encrypted data so as to arrive at the original 

30 decrypted data. Public key systems are primarily used for transmitting keys which are utilized 
in, e.g., block or stream ciphers, which In turn perform encryption and decryption of the 
data. 

The methods of the present invention are applicable to cryptographic methods and 
35 cryptographic systems, In particular but not exclusively to stream cipher algorithms, block 
cipher algorithms, Hash functions, and MAC (Message Authentication Code) functions. Such 
methods, functions and algorithms may Include pseudo-random number generators which are 
capable of generating pseudo-random numbers in a reproducible way, I.e. In a way that 
results In the same numbers being generated in two different cycles when the same key is 
40 used as an input for the pseudo-random number generator in the two cycles. 

in pseudo-random number generators, numerical solutions of chaotic systems, I.e. systems 
of non-linear differential equations or mappings exhibiting chaotic behavior, have been 
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proposed. The term ^chaotic" may in a strict mathematical sense only be used In the context 
of a continuous system. However, the present text also refers to discrete or finite systems 
having at least one positive Lyapunov exponent as being ^chaotic". 

5 A chaotic system normally governs at least one state variable X, the numerical solution 

.method of such a system normally comprising performing iteration or Integration steps. In a 
chaotic system, the solution X n at a given instant is dependent on the initial condition X 0 to 
such an extent that a small deviation In X 0 will result in a huge deviation in the solution X n , 
the system often being referred to as exhibiting sensitivity on initial conditions. Thus, in order 

10 for the pseudo-random number generator, i.e. the algorithm numerically solving the chaotic 
system, to give a reproducible stream of pseudo-random numbers, the exact initial condition 
X 0 must be known. Thus, in cryptographic algorithms relying on chaotic systems, the initial 
condition X 0 used in the numerical solution of the chaotic system is derived from the key 
entered by a user of the cryptographic system, thereby allowing the same stream of pseudo- 

15 random numbers to be generated for e.g. encryption and decryption of data. 

♦ 

Lyapunov exponents measure the rates of divergence or convergence of two neighboring 
trajectories, I.e. solution curves, and can be used to determine the stability of various types 
of solutions, i.e. determine whether the solution is for example periodic or chaotic. A 
Lyapunov exponent provides such a measure from a comparison between a reference orbit 
20 and a displaced orbit. Iterates of the initial condition Xq are denoted the reference orbit, and 
the displaced orbit is given by iterates of the initial condition Xq + Vo, where y 0 is a vector of 
infinitely small length denoting the initial displacement. The Initial orientation of the Initial 
displacement is given by u 0 = y 0 /I Yol« Using this notation, the Lyapunov exponent, h(Xo, y 0 ), 
Is defined as 

25 h(x 0 ,u 0 ) = || m i|n(Iy n l/|y 0 |) 

where y n is the deviation of the displaced orbit from the reference orbit, given by the n'th 
iterate of Xq, For systems whose dimension is larger than one, there is a set or spectrum of 
Lyapunov exponents, each one characterizing orbital divergence or convergence in a 
" particular direction. Thus, if the system has N degrees of freedom, it will have N Lyapunov 
30 exponents which, however, are not necessarily distinct. In all practical situations, a positive 
Lyapunov exponent indicates chaos. The type of irregular behavior referred to as hyperchaos 
Is characterized by two or more positive Lyapunov exponents. Numerical calculation of 
Lyapunov exponents may be performed according to the suggested method in T.S. Parker 
and L.O. Chua: Practical Numerical Algorithms for Chaotic Systems, pp. 73-81. 

35 Even more irregular systems than hyperchaotic systems exhibit so-called turbulence, which 
refers to the type of behaviour exhibited by a system having a continuous spectrum of 
positive Lyapunov exponents. Turbulence may be modeled by partial differential equations, 
for example the well-known Navier-Stokes equations. 

A large number of prior art documents are concerned with solving chaotic systems, in 
40 particular to be used in cryptographic algorithms, also Including stream cipher algorithms 
relying on chaotic systems, some of which are briefly mentioned below as a general 
introduction to the background art. 



WO 03/104969 



PCT/DK03/00375 



4 

US 5,007,087 assigned to Loral Aerospace Corp. discloses a method and an apparatus for 
generating random numbers using chaos. The patent describes solving chaotic systems for 
generating random number sequences and mentions its possible use In cryptography, in 
particular in the field of key generation and management. The document mentions that 
repeatability of the number sequence should be avoided. 

US 5,048,086 assigned to Hughes Aircraft Company is related to an encryption system based 
on chaos theory. The system uses the logistic equation Xn+i=nx n (l-x n ), which is a mapping 
exhibiting chaos for certain values of [x. In the computations, floating-point operations are 
used. 

PCT Application WO 98/36523 assigned to Apple Computer, Inc. discloses a method of using 
a chaotic system to generate a public key and an adjustable back door from a private key. 
The need for establishing rules of precision during computations on a chaotic system is 
mentioned. The document states, as an example, that a specified floating point or fixed point 
precision can be identified along with specific standards for round-off. 

PCT Application WO 02/47272 assigned to the assignee of the present application discloses 
various aspects of cryptography, including the use of so-called fixed-point numbers. 

PCT application WO 01/50676 assigned to Honeywell Inc. discloses a non-linear cryptographic 
isolator for converting a so-called vulnerable keystream Into a so-called protected keystream. 
The non-linear filter cryptographic isolator Includes a multiplier for performing a multiplication 
function on the vulnerable keystream to provide a lower partial product array and an upper 
partial product array, and a simple unbiased operation for combining the lower partial 
product array and the upper partial product array to provide the protected keystream. 

"Numerical Methods and Software" by D. Kahaner, C. Moler and S. Nash (Prentice-Hall 
International Editions, 1989) contains a general introduction to (pseudo-)random number 
generation. The book mentions the following criteria forjudging the quality of (pseudo- 
random number generators: 

a) High quality: the generator should pass all the statistical tests and have an extremely long 
period, 

b) Efficiency: execution should be rapid and storage requirements minimal. 

c) Repeatability: Specifying the same starting conditions will generate the same sequence. 
The user should be able to restart the generator at any time, but explicit initialization is not 
necessary. A slight change in the starting procedure will result in a different random 
sequence. 

d) Machine independence and portability: The algorithm should work on different kinds of 
computers; In particular, no operation should cause the program to stop. The same sequence 
of random numbers should be produced on different computers by initializing the generator in 
exactly the same way. 

e) Simplicity: The algorithm should be easy to Implement and use. 

The book further states that no generator can be successful in satisfying all of these criteria. 



WO 03/104969 PCT/DK03/00375 

5 

It is further known to use fixed-point variables in numerical computations, for example In 
Intel Mandelbrot computations. Intel (cf. MMX™ Technology Application Notes, 
"Implementing Fractals with MMX™ Technology", publicly accessible on 
http : /feeds r. i nteLcom/cql- 

bin/lds.dll/content/content i g p?cntKev=Leoacv::irl T Ti MANDEL 10491&cntTvpe=IDS EPITORIALfrc 
atCode=0 on 6 June 2003) has explained how a Mandelbrot set (the set being derivable from a 
non-linear system) may be computed in a fast manner using MMX technology (an add-on to 
Inters processors which speeds up certain computations). This is done using fixed-point 
computations. 

The Mandelbrot set is computed by means of the below mapping: 

Intel utilizes a constant decimal separator position In their computations. A so-called 5.11 Is 
utilized, i.e. a 16 bit number is utilized wherein the decimal separator Is placed after the 5'th 
bit, ^5" referring to 5 bits after the decimal separator, "11" referring to 11 bits after the 
decimal separator. 

SUMMARY OF THE INVENTION 

Pseudo-random numbers generators as those used in cryptography should, while allowing for 
reproducibility of a sequence of pseudo-random numbers, generally be as unpredictable as 
possible. In other words, an internal state of a mathematical system underlying the generator 
should contain as little information as possible concerning other internal states of the 
mathematical system. For example, the Information that a particular value *X," was contained 
in state variable "X" at iteration No. i should not In a predictable manner lead to another 
value "Xj" which was contained in the variable *X" at another iteration, Iteration No. j. When 
an iterative mathematical system is expressed in discrete terms, problems with small periods 
can arise In the sense that a certain degree of predictability may arise if or when the 
mathematical system becomes periodic. In a cryptographic system this is a serious problem 
since it will have the effect that data will be encrypted repeating the same block of pseudo- 
random data which comprises security. 

______ _________ i _ * 

The present Invention provides four aspects, preferred embodiments of which Improve 
security by improving unpredictability: 

1. Variation of a parameter of a mathematical system exhibiting a positive Lyapunov 
exponent (claims 1-17) 

2. Manipulation of at least one of the most significant bits of a number resulting from a 
multiplication operation (claims 18-43 and 55), the "g-functlon" 

3. Combining of the quotient and the remainder of a number resulting from a division 
operation (claim 44). 

4. Updating of counter values by means of a carry value (claims 45-55). 



With the additional aim of improving speed in computations, the present invention provides, 
in a further Independent aspect: 
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5. Concurrent encryption and identification value generation (claims 56-61). 

The above aspects of the Invention will be discussed In sections 1-5 below. Disclosure and 
5 discussions which apply to all aspects of the invention are included in sections A-L below. 

1 VARIATION OF A PARAMETER OF A MATHEMATICAL SYSTEM EXHIBITING A POSITIVE 
LYAPUNOV EXPONENT 

10 A first aspect of the present Invention provides a method for repeatedly performing 
computations In a mathematical system which exhibits a positive Lyapunov exponent, 
comprising varying at least one parameter of the mathematical system after a certain 
number of computations. The parameter, which may, e.g., be a counter, may vary 
Independently of the mathematical system and may cause the mathematical system to 

15 produce output periods which are longer than if the parameter would not have been varied, 
or it may cause the mathematical system to exhibit periodic behaviour with periods which are 
so long that, In any practical application, the mathematical system will not repeat Itself. The 
parameter may be repeatedly varied throughout computations in the mathematical system. 

20 In connection with a system with a positive Lyapunov exponent, I.e. a system exhibiting so- 
called chaotic behaviour, there exists the further challenge that roundlng-off of floating-point 
numbers Is not necessarily performed consistently on two different processors, In which case 
- due to the positive Lyapunov exponent - a sequence of pseudo-random numbers generated 
on a first processor may not be reproducible on a second processor. Usually on a computer, 
25 real numbers are represented by floating point type numbers. A floating-point number is 
defined as a number consisting of a mantissa and an exponent, e.g. 31415 • 10" 4 , where 
"31415" is the mantissa and *-4" Is the exponent. When a computer is performing a 
calculation on a floating-point variable, it recalculates the exponent to match the result. The 
name "floating-point" refers to the fact that the decimal separator is moving at calculations, 
30 caused by the varying exponent. However, floating point arithmetic is defined differently on 
various processor architectures causing different handling of precision and rounding off. The 
present inventors have realised that, instead of floating-point numbers, fixed-point numbers 
can be used. Thus, in embodiments of the methods of the invention, computations such as 
iterations in the mathematical system, which usually comprises at least one function and is 
35 expressed in discrete terms, are performed by means of at least one fixed-point number. All 
computations may be performed as fixed-point or integer computations. A fixed-point 
number Is represented as an integer type number on a computer, where a virtual decimal 
point or separator (also referred to as an imaginary decimal separator) Is introduced 
"manually", I.e. by the programmer, to separate the integer part and the fractional part of 
40 the real number. Hence, calculations on fixed-point numbers are performed by simple integer 
operations, which are identical on all processors in the sense that the same computation, 
performed on two different processors, yields identical results on the two processors, except 
for possible different representations of negative numbers. Such possible different 
representations may occur as a consequence of some processors utilizing ones complement 
45 and other processors utilizing twos complement. Furthermore, these operations are also 
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usually faster than the corresponding floating point operations. The use of fixed-point 
variables is further discussed in section B below. 

The mathematical system may comprise at least one non-linear map or at least one non- 
5 linear equation, or a set of non-linear maps or a set of non-linear equations, as discussed 
further below, cf. in particular section C 

The counter referred to above may be increased at each iteration in the mathematical 
system, in which case a maximum value may be defined for the counter. The method may 
10 thus comprise resetting the counter to a minimum value once the counter has reached said 
maximum value, whereby the counter varies with a certain period. However, this does not 
necessarily mean that the mathematical system also varies with a period. Resetting the 
counter avoids overflow in the system. 

15 In order to further improve unpredictability, multiple parameters may be employed. Some of 
such multiple parameters may be dynamic, I.e. varying, whereas others may be static, I.e. 
constant. A constant parameter may for example be generated from a seed value provided to 
the mathematical system, such as an encryption key. The variation of a first one of the 
parameters, such as of a counter, may be dependent from the variation of a second one of 

20 said counters in such a way that the period of the first counter is different from the period of 
the second counter. The variation of each individual one of the counters may be dependent 
from the variation of at least another one of said counters so as to obtain a period of the 
counters which is longer than the period which would have existed if each individual counter 
would not have been dependent from the variation of another counter. The one or more 

25 counters may be increased linearly or by any other function. 

The computations performed by the first aspect of the Invention may be used for generating 
pseudo-random numbers, which may be used in any kind of cryptography apd/or 
Identification value generation. 

* • 

30 

2 MANIPULATION OF AT LEAST ONE OF THE MOST SIGNIFICANT BITS OF A NUMBER 
RESULTING FROM A MULTIPLICATION OPERATION, ^G-FUNCTION" 

In a second aspect, the invention provides a method for manipulating a first set of data in a 
35 cryptographic system, the first set of data comprising a first and a second number of a first 
and a second bit size A and B, respectively, the method comprising: 

- multiplying the first and the second number to obtain a third number of a third bit size 
A+B, the third number consisting of P most significant and Q least significant bits, 
wherein A+B=P+Q, and wherein Q Is equal to the largest of the first bit size A and the 

40 second bit size B, Q=max(A,B), 

- manipulating the third number to obtain a fourth number which is a function of at least 
one of the P most significant bits of the third number, 

- using the fourth number for deriving an output of the cryptographic system. 

More specifically, the fourth number may be used for generating or updating a pseudo- 
45 random number as the output of the cryptographic system. 



SUBSTITUTE SHEET 



WO 03/104969 



PCT/DK03/00375 



8 

It has been found that a general multiplication function has good cr/ptographlc properties. 
These properties are good mixing, i.e. most input bits affect all output bits, and poor linear 
approximations. Furthermore, the multiplication has the property that the number of bits of 
the output is the same as the total number of bits in the inputs, i.e. if a number of bit-size A 
is multiplied with a number of bit size B then the output is of bit size A+B. This larger bit size 
enables further manipulation of the output, such that the final output is of a bit size smaller 
than A+B, for instance A or B. Thereby improved cryptographic properties for the 
manipulated multiplication function may be achieved, I.e. all input bits affect all output bits, 
and all linear approximations are very poor. 

The first and second number may have different bit sizes, for example 8 and 16 bit. However, 
for practical reasons it may be desirable that the first and second numbers are of the same 
bit size. For example, each of the first and second number may be a 32-bit number, in which 
case the third number is a 64-bit number, consisting of 32 most significant and 32 least 
significant bits. The fourth number may then, for example, consist of the 32 most significant 
bits of the 64-bit number. The first set of data may consist of a single number, such as a 
number assigned to a variable, and the first number may thus equal the second number, so 
that the step of multiplying comprises squaring the first number. Such squaring may be 
advantageous as compared to other multiplication functions implying the multiplication of two 
different numbers, as it requires handling of a single variable only. Further, the squaring of a 
number of a certain bit size A results in a number, referred to above as the third number, of 
bit size 2-A. Thus, by applying a manipulation to the third number to obtain the fourth 
number of another bit size, such as bit size A, further complexity is added to cr/ptographic • 
systems incorporating the method of the second aspect of the invention. The squaring is 
further advantageous, as it - when performed on small processors, such as 8- or 16-bit 
processors - requires fewer operations than multiplying two different numbers whereby 
computational resources may be saved. For example, multiplication of two different 32-bit 
numbers requires sixteen 8-bit multiplications, whereas the squaring of a 32-bit number only 
requires ten 8-bit multiplications. Also, by applying the method in a cryptographic system, a 
keystream of a satisfactory quality (with respect to unpredictability) may be directly 
generated as a pseudo-random output by means of simple operations, such as by XOR 
operations. Further, in a cryptographic system, the squaring function does not normally 
result in a certain result more often than it results in other results. However, the 
multiplication of two different numbers may results In the result zero every time one of the 
two numbers being multiplied has the value zero. In other words, the squaring function may 
have a reduced bias towards a certain result, in particular towards zero, as compared to 
other multiplication functions. Such bias towards zero may leak information concerning an 
input to the multiplication, as it reveals that one of the two inputs to the multiplication 
operation most likely was zero. 

The fourth number may itself represent a pseudo-random number which Is used as the 
output of the cryptographic system. Alternatively, the fourth number may be used as an 
input for further computations, such as Iterations in a mathematical system, following which 
a pseudo-random number or other output of the cryptographic system is derived. 
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In a cryptographic system one or more state variables may be Iterated in a mathematical 
system. A counter or variable may be added to each or some of the state variables in each or 
some of the iterative steps, as described further below. The step of multiplying may comprise 
Identical operations In each iterative step, or it may, alternatively, comprise different 
operations. For example, In a first iterative step, the step of multiplying may comprise 
squaring a variable x, whereas in one or more subsequent iterative steps, the step of 
multiplying may comprise multiplying variable x with another variable y. 

In the case of at least two state variables being iterated, a value assigned to each of the 
state variables may be updated as a function of at least one value of the same and/or 
another state variable, for example according to the general formula x l+1 =f(X|,yi), subscript i 
denoting the i'th iteration, x and y denoting the state variables. 

The step of manipulating preferably comprises using as well most significant bits of the third 
number as least significant bits. The manipulating may comprise a logical or arithmetic 
operation. One logical operation which is easily applied is the XOR function which may, e.g., 
be applied on a number of most significant bits and an equal number of least significant bits. 
The XORing may be performed bitswise, In which case each bit of the most significant bits 
may be XORed with a bit of the least significant bits. The XOR operation may thus be 
performed N times, resulting in a result of bit size N . The step of manipulating may be 
performed by applying an operation to bits of two or more different numbers. For example, in 
a cryptographic system in which several numbers Xi.-.Xn are being generated based on 
iterations of one or more state variables, the step of manipulating may comprise XORing bits 
of one number Xm with bits of another number x p , one or both of x™ and x p representing the 
third number. 

Likewise, an arithmetic operation may be performed bitwise. 

In a cryptographic system, the first and second number may be^derived from a set of data to 
be encrypted or decrypted, in which case the fourth number may be used to generate an 
encrypted or decrypted representation of the second set of data, such as plaintext or 
ciphertext, for example in a block cipher algorithm or in an algorithm for determining an 
identification value for identifying a set of data. 

The method according to the second aspect of the invention may also be applied for 
generating an Identification value for identifying a second set of data. In that case, at least 
one of the first and second number is derived from the second set of data, so that the fourth 
number is used for generating an identification value identifying the second set of data. The 
term "identification value" may be a hash value or a cryptographic check-sum which 
identifies the set of data, cf. for example Applied Cryptography by Bruce Schneier, Second 
Edition, John Wiley & Sons, 1996. In case a cryptographic key is used as a seed value for the 
computations, the hash function is usually referred to as a MAC function (Message 
Authentication Code). 
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In any application of the method, at least one of the first and second number may be derived 
from a cryptographic key, I.e. an input value for an algorithm of the cryptographic system 
which is used for initializing iterations. 

In the method of the second aspect of the invention, the first number may equal the second 
number, in which case the step of multiplying comprises squaring the first number. 

In a mathematical system, in which a state variable is iterated, the state variable may be 
updated as a function of the fourth number, or as a function of a permutation of the fourth 
number, such permutation comprising, e.g., bitwise rotation of the bits of the fourth number. 

With the aim of providing a good mixing and making each output bit of the cryptographic 
system dependent from as many Input bits as possible, the step of multiplying may be 
performed multiple times, each multiplication being performed on a number which represents 
or is a function of one of a plurality of state variables, the step of multiplying thereby 
resulting In a plurality of third numbers. Thus, also the step of manipulating may result in an 
array comprising a plurality of fourth numbers, whereby at least one state variable may 
updated as a function of at least two of the fourth numbers. 

At least one of the first and second number may be a state value Xi to which there Is added a 
variable parameter value, such as a counter Q. The step of multiplying may thus comprise 
squaring (X|+Q), X! denoting a state variable or an array of state variables, and C, denoting 
the counter or an array of counters. The at least one parameter may be repeatedly varied at 
predetermined Intervals in the computations. A counter C, may be added to the fourth 
number or to a number which is a function of the fourth number to result in an updated state 
variable X l+1 . 

The step of multiplying may comprise a plurality of multiplication functions resulting in a 
plurality of numbers of bit size A+B, whereby the step of manipulating may comprise 
combining at least one of the bits of a first one of the plurality of numbers with at least one 
of the bits of a second one of the plurality of n umbers. Th e plurality of multiplication 
functions may comprise at least one squaring operation, whereby the step of manipulating 
may comprise combining at least one of the P most significant bits of a first one of the 
plurality of numbers with at least one of the Q least significant bits of a second one of the 
plurality of numbers. 

The step of multiplying Is usually performed in a mathematical system in which at least one 
state variable is being iterated, most often in a system in which two or more state variables 
are being iterated. In each computational sequence, values assigned to each of the at least 
two state variables may be updated as a function of at least one value of the same and/or 
another state variable. 

In a cryptographic application, at least one of the first and second number may be derived 
from a set of data to be encrypted or decrypted, whereby the fourth number may be used for 
generating an encrypted or decrypted representation of the set of data. Likewise, the fourth 
number may be used for generating an identification value identifying the set of data. 
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i 

At least one of the first and second number may be derived from a cryptographic key. 

The method of the second aspect of the invention may advantageously be applied in a 
5 system/method, wherein an identification value for identifying a set of data Is determined, 
apd wherein a set of data is concurrently encrypted/decrypted, e.g., by means of a pseudo- 
random number generator in which numerical computations are performed In a mathematical 
system, cf. the below discussion of the fifth aspect of the invention. 

10 3 COMBINING OF THE QUOTIENT AND THE REMAINDER OF A NUMBER RESULTING 

FROM A DIVISION OPERATION 



In a third aspect, the invention provides method for manipulating a first set of data in a 
cryptographic system, the first set of data comprising a first and a second number, the 

15 method comprising: 

- dividing the first number by the second number to obtain a quotient and a remainder, 

- combining, by means of a mathematical operation, the quotient and the 'remainder to 
obtain a resulting number, 

- using the resulting number for deriving an output of the cryptographic system. 

20 

Such manipulating may be applied in the method according to the second aspect of the 
invention. The step of combining may comprise any manipulating discussed above In 
connection with the method according to the second aspect of the invention, for example a 
logical operation, such as an XOR operation, or an arithmetic operation. The output of the 
25 cryptographic system may be any output discussed above in connection with the second 
aspect of the invention. 

The method of the third aspect of the Invention results in an Improved mixing of numbers in 
a cryptographic system, In particular in a pseudo-random number generator.' The method Is 
30 useful in connection with any cryptographic system, including those described herein. 

4 UPDATING OF COUNTER VALUES BY MEANS OF A CARRY VALUE 

With the aim of providing a method for ensuring very long periods of a sequence of numbers 
35 in a cryptographic system, and thus with the aim of improving unpredictability and security, 
there Is provided as a fourth aspect of the Invention a method for generating a periodic 
sequence of numbers in a cryptographic system in which computational steps are repeatedly 
performed, the method comprising updating, in each computational step I, an array of 
counters, the counters being updated by a logical and/or by an arithmetic function, whereby, 
40 at each computational step, a carry value is added to each counter in the array, and wherein 
the carry value added to the first counter in the array, Co, is obtained from at least one of: 
a selected computation of a value of the array of counters, 
a value which Is a function of a counter value at a previous computational step. 



45 In other words, the method comprises updating, in each computational step i, an array C, of 
counters q,,, the counters being updated as: 
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Co,i+i=Co,i+a 0 +d| mod N 0 , 
Chi+i=q,i+aj+b,-i, 1+1 mod Nj for j>0, 
where: 

q f i +1 is a value assigned to position j of array C at step i+1, j=0...n-l, n denoting a 
5 dimension of the array C, i.e. the number of elements in the array, 
q,i is a value assigned to position j of array C at step I, j=0...n-l, 
aj is a value, typically a constant, assigned to position j of an array A, j=0...n-l, 
for j>0: bj- 1#l+1 is a carry value resulting from the computation of Cj.i ( i +1/ 
Nj Is a constant, j=0...n-l, 
10 for 1=0: d|=d 0 is an initial value, 

for i>0 d| is a carry value obtained from a selected computation of a value of the array of 
counters C, and/or a function of Q. 

It should be understood that the carry values may be zero. 

15 

As demonstrated below, a mathematical proof is established showing that the period of the 
counter system is very long. Thus, in a pseudo-random number generator employing the 
above counter system and generating a keystream, huge amounts of data may be encrypted 
without the keystream becoming periodic by repeating itself. Thereby, unpredictability and 
20 security is improved. 

It should be understood that the sequences of numbers generated by the method according 
to the fourth aspect of the Invention preferably has a period which is so long that the 
sequence of numbers generated, in most practical applications, does not become periodic, 
25 I.e. that any sequence of numbers generated is not repeated. 

The array of counters Q will below be referred to as a "counter with carry feedback", in 
contradiction to an ordinary counter of the form q +1 =q+a mod N. In order to explain the 
effect of a counter with carry feedback, an ordinary counter will first be discussed: 

30 

Consider a system defined by: 
c 1+ i = q + a mod N, 

where q is the value of the counter at step I (the array C, containing a single element, q), q+i 
is the value of the counter at step 1+1, a is a constant number and N is a large number 
35 usually defined by a register size of an electronic processor which performs the computations, 
i.e. N=2 32 for a 32-bit processor. 

In the case where a=l, c is constantly incremented by 1 until It reaches the value N-l, and in 
the following Iteration c restarts from zero. In such a system, the period of c Is equal to N. 
40 The single bits in the number have, however, different periods. The least significant bit, c^ 3 , 
is successively added the value 1, and will thereby repeatedly obtain the values 0 and 1, i.e. 
have a period of 2. For every second incrementation this will give rise to a carry being added 
to the next bit in the register, c ul , which thereby will have a period of 4. For bits at position j, 
.the Deriod will be aiven bv 2 J+1 . 
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Such a system suffers from the disadvantage that all bits, except the most significant, have 
periods smaller than the total period N. Another disadvantage is that the dynamic behaviour 
of the bits Is rather predictable. For Instance, the value of the least significant bit changes at 
every iteration. Thereby, even though the value at a given iteration is not known, the value 
5 will be the opposite in the following iteration. Also, the value of the most significant bit will 
change only when half of the period N has passed. This means that the value of the most 
significant bit is constant for a long time, resulting in poor non-predictability characteristics 
which are crucial In cryptographic systems. 

10 As indicated above, the counter with carry feedback, in a single-dimensional system, may be 
defined by: 

q +1 as q + a + d| mod N, 
d i+1 = 1 If q + a + dj > N, 
d, +1 = 0 if q + a + dj < N, 
15 where q Is the value of the counter at step I, q+i Is ttie value of the counter at step 1+1, a is a 
constant number, dj Is the value of the feedback carry at step i, and N is a large number 
usually equal 2 to the power of the register size of the processor on which computations are 
being performed. 

20 Again consider the case where a=l, starting with Cq=0, the behaviour is similar to the 

ordinary counter until q + a + b| becomes larger than or equal to N, then b, +1 is put equal to 
1, and in the subsequent iterations added to the value of the counter. Thereby the period 2 
behaviour at the least significant bit is interrupted, thereby making It less predictable than In 
the case of an ordinary counter. This furthermore means that the least significant and the 

25 rest of the bits all will have periodic behaviour equal to that of c. This period is N-l. 

The period of the counter system with carry feedback can be proven as follows* 

The above recurrence relation Is equivalent to the following linear congruentiaf generator: 
30 Z, +1 =Z, + A mod (N-l), 

which has a period length of N-l, when A has been chosen such that gcd(A,N-l)=l, i.e. the 
greatest common divisor of A and N-l Is one, cf. B. Schneler: Applied Cryptography, John 
Wiley & Sons, Inc. (1996). 

35 To show that Z Is equivalent to C, we consider an initial value Co=Zo for Zo>A. The recurrence 
relation for Q can be defined in terms of Z x : 

Q = Z, if (Z)-i + A)< N-l and Zm* 0, A denoting a concatenated value a n „i...a 0 , cf. below, 
C, = N-l if (Z,.!+ A)=N-1 
C, = Z,-l if (Z w + A) > N-l or Z w =0 
40 Therefore, Q will attain the same set of numbers as Z,, though in a different order, except 
that Q will attain the value N-l but not the value A. Thus, the period of the recurrence 
relation, C, is the same as for the linear congruential generator, Z. 

To sum up, the purpose of the counter system is to generate a sequence of numbers with a 
45 given long period, wherein each binary value at each bit-position have the same period as 



SUBSTITUTE SHEET 



WO 03/104969 PCT/DK03/00375 

14 

the complete system. Additionally, the least significant bit is, due to the carry feedback, 
influenced by all other bits, which Is not the case when no feedback is applied. 

The application of the long periodic sequence is to ensure that the internal state of the 
5 stream cipher has a large period. 

When the constant incrementation value A is chosen appropriately, it can furthermore be 
achieved that the values at each bit position in C have relatively high frequencies, i.e. 
changes often. Thereby, in a situation where the values of the counter bits are secret, for 
10 instance when they are applied as part of the input to a stream cipher with an Internal state, 
the exploitation of any relation between the output of the stream cipher and the values of the 
bits, Is additionally complicated since the values of the bits change relatively often. 

The value A may be appropriately chosen by ensuring that the product of 
15 (N 0 *N 2 *...*N n . 1 )-l and a concatenated value of the values a } are mutually prlme..The 

concatenated value of the values aj is determined as a single sequence of bfts an-ian- 2 ...a 0 , cf. 
the below example. ♦ 

An example of appropriate chosen constants, when performing computations with 32-blt 
20 registers (i.e. N=2 32 ), are: 



a 0 




0X4D34D34D 


ai 




0XD34D34D3 


a 2 




0X34D34D34 


a 3 




0X4D34D34D 


a 4 




0XD34D34D3 


a 5 




0X34D34D34 


a 6 




0X4D34D34D 


a 7 




0XD34D34D3 



where Ox indicates that the numbers are represented as hexadecimal numbers. The 
30 connection to the single counter system with carry feedback, is easily obtained by 

concatenating all constants and concatenating all counter elements, and thereby performing 
the calculations on these 256-bit numbers, i.e. with modulus 2 256 . In the above example, the 
concatenated value of A is a 7 a 6 a 5 a 4 a3a 2 aiao= 

0XD34D34D34D34D34D34D34D34D34D34D34D34D34D34D34D34D34D34D34D34D34D. 

35 

Another example of appropriate chosen constants, when performing computations with 8-bit 

registers, are: 

a 0 = 0x2C 

ai = OxCB 
40 a 2 = 0xB2 

a 3 = 0x2C 

a 4 = OxCB 

a 5 = 0xB2 

a 6 = 0x2C 
45 a 7 - OxCB 
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where Ox indicates that the numbers are represented as hexadecimal numbers. The 
connection to the single counter system with carry feedback is easily obtained by 
concatenating all constants and concatenating all counter elements, and thereby performing 
the calculations on these 64-bit numbers, i.e. with modulus 2 s4 . 

5 

The counter system with carry feedback as discussed above may be applied for using the 
counter values as a periodic input for a cryptographic function, e.g.: 
- Using the counter values as input to a stream cipher or pseudo-random-number- 
generator with an internal state, 
10 - Using the counter values as part of the input in a computation of an identification value. 

In one embodiment, an internal state of a cryptographic system is updated as a function of 
the counter values, e.g. by adding a counter value to an internal state. Such update may be 
performed before the computation of a next-state value or subsequent to the* computation of 
15 a next-state value. An output function may then be applied to the current or the next internal 
state In order to generate a pseudo-random output, often referred to as a "keystream". 

The following pseudo code illustrates a preferred embodiment of the computation of multiple 
counters, the pseudo code illustrating a single iteration of the counter: 



20 



25 



30 



40 



// Save old counter values 
for i«0 to 2 

c old[i] « c[±] 



// Increase counters 
c[03 - (c[0] + a[0] + d) mod 2 32 
if c[0] < c_oldt0] then 
b[0]=l 



b[O]-0 

end if 

c[l] ~ <c[l] + a[l] + b[0]) mod 2 
35 if c[l] < c_old[l] then 

b[l]=l 



b[l]=0 
end if 



c[2] = (c[2] + a[2] + b[l]) mod 2 3a 
if ct2] < c_old[2] then 



else 

45 d=0 

end if 
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The following pseudo code illustrates a preferred embodiment of the computation of a single 
counter: 

5 // Save old counter value 

c_old = c 

// Increase counter 
c = (c + a + d) mod 2 32 
10 if c < c_old then 

d=l 
else 

d-0 
end if 

15 

In the above pseudo-codes, it Is presumed that all values of a are smaller than 2 32 -l. 

* a 

As will be understood from the above discussion, the size of the arrays C and A may be 1, I.e. 
n=l, so that: 
20 - the array C contains a single value Co,i, 
- the array A contains a single value a 0/ 
the counter q>,i being updated as Co # i+i=Co^+a 0 +di mod N 0 . 

As further described below in connection with Fig. 4, for i>0, dj may be a carry value 
25 resulting from the computation of c n -i,i, I.e. the latest carry value computed at a preceding 
iterative step. 

In case the array C only contains a single element c, the number c may be successively 
Incremented by the constant value a, and the value of the carry register d. If c becomes 
30 larger than a value N, N Is subtracted from the number, i.e. modulus N, and the value In the 
carry register is set to 1. If the number Is less than N, the value In the carry register is set to 
0. This procedure can formal istically be described as: 
c,+i = c, + a + d» 

If c !+1 >= N then dj+i = 1 else d 1+1 = 0 
35 if C| +1 >~ N then q+i = q+i-N 

In case the array C contains a plurality of elements or numbers O(co, Ci# c^,..., c n -i), such 
numbers may successively be incremented by a set of constant values A=(a 0/ ai, a 2/ ... a n -0 
and values of a set of carry registers (b 0 , b u b 2/ ... b^-J, b n -i=d. If any of the numbers become 

40 larger than a value N, IM is subtracted from the number In question, I.e. modulus N, and the 
value in the corresponding carry register is set to 1. The carry register involved in the 
addition is the carry arising from the neighbour number, such that the set of numbers are 
coupled by the carry registers to form a chain. The first number is added with the carry 
register from the last number in the previous incrementation. This procedure can 

45 formalistically be described as: 
Co,i+i = Co,i + a 0 + d). 

if Co f i +l >= N then b 0/ i+i = 1 else b 0/ i+i = 0. 
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if Co,i+i >= N then Co,i+i = Co,i+i - N. 

The rest of the numbers are determined by: 

Cj,i+i = q,j + aj + bj-i rl+ i. 

if q,i+i >= N then b Jfl+1 = 1 else b,,, +1 - 0, for j<n-l. 
5 if c n . 1#1+ i >= N then d, +1 = 1 else d, + i = 0. 
if >= N then q, l+1 = q,,+i - N. 
The above procedure is graphically Illustrated in Fig. 4. 

Alternatively, d, may be a carry value determined in the same iteration, that is: firstly a 
10 constant Is added to the first counter, the carry from this operation and a constant are then 
added to the next counter In the chain and so forth. This procedure Is continued until and 
including the last counter in the chain, the carry from this last addition is then added to the 
first counter, and if a carry occurs it is added to the next counter and so on. The procedure Is 
Illustrated in the following pseudo-code: 



15 



20 



25 



35 



// Save old counter values 
for i=0 to 2 

o_old[i] = c[i] 



// Increase counters 
c[0] = (c[0] + a[0]) mod 2 
if c[0] < o_old[0] then 
b[0]«l 



b[0]«0 
end if 



c[l] = <o[l] + a[l] + b[0]) mod 2 s2 



30 if c[l] < cjold[l] then 

bll]=l 



b[l]=0 
end if 

o[2] = <c[2] + a[2] + b[l]) mod 2 : 
if c[2] < c old[2] then 



40 d=0 



// Add final carry 
c[0] = <c[0] + d) mod 2 32 
45 if c[0] < o_old[0] then 

b[0]«=l 
else 

b[0J=0 
end if 

50 
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o[l] = (e[l] + b[0]) mod 2 32 
if c[l] < c_old[l] then 

b[l]=l 
else 

b[l]«0 
end if 

c[2] = (c[2] + b[l]) mod 2 s2 

In the above pseudo-code, it is presumed that all values of a are smaller than 2 32 -l. 

The computational steps which are performed In the cryptographic system usually comprise 
an iterative procedure in which an array of state variables, X, is repeatedly iterated so that at 
least one value assigned to a position in the array of state variable X at computational step 
i+1 is a function of: 

- at least one value assigned to a position in the array of state variables X qt computational 
step 1, and 

- at least one value assigned to a position of the array of counters C at computational step 
I. 

For example, X,+i may be computed according to the general formula X,+i=f(X|, Q), such as 
X 1+ i=f(X,+C,). It should be understood that the array X may contain one or more state 
variables. 

The method of the second aspect of the invention may advantageously be applied in a 
system/method, wherein an Identification value for identifying a set of data is determined, 
and wherein a set of data Is concurrently encrypted/decr/pted, e.g., by means of a pseudo- 
random number generator in which numerical computations are performed In a mathematical 
system, cf. the below discussion of the fifth aspect of the invention. 

Combination of carrv-updatino of counters and "g-f u n ction" 

In a further aspect, the invention provides a method for generating an output in a 
cryptographic system, the method combining the general concepts underlying the second and 
the fourth aspects of the invention. Thus, according to the sixth aspect of the invention, 
computational sequences may performed as an iterative procedure wherein an array of state 
variables, X, is repeatedly iterated so that at least one value assigned to a position In the 
array of state variables X at iteration step i+1 Is a function of: 

- at least one value assigned to a position in the array of state variables X at iteration I, 
and 

- at least one value assigned to a position of an array of counters C at iteration I, 
the array of counters being updated in each iteration as: 

^,1+1=00,1+ a 0 +d| mod N 0 , 
c,,, +1 =c,,,+ aj+bj^i+i mod for j>0, 
where: 

q fI+i is a value assigned to position J of array C at step j=0...n-l, n denoting a 
dimension of the array C, 
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Cj,|is a value assigned to position j of array C at step 1, j=0...n-l, 

aj is a value assigned to position j of an array A, j=0...n-l, 

for j>0: bj.ij+i is a carry value resulting from the computation of Cj-i,i+i, 

Nj is a constant, j=0...n-l, 

for i=0: di=d 0 is an initial value, 

for i>0 d, is a carry value obtained from a selected computation of a value of the array of 
counters Q and/or a function of Q, 
each iteration comprising: 

- multiplying a first number of a first bit size A and a second number of a second bit size B 
to obtain a third number of a third bit size A+B, at least one of the first and second 
number being equal to or a function of at least one value assigned to a position of the 
array of state variables X at Iteration i, the third number consisting of P most significant 
and Q least significant bits, wherein A+B=P+Q, and wherein Q is equal to the largest of 
the first bit size A and the second bit size B, Q=max(A,B), 

- manipulating the third number to obtain a fourth number which Is a function of at least 
one of the P most significant bits of the third number, 

using the fourth number for deriving the output of the cryptographic system and/or for 
assigning new values to positions of the array of state variables X. 

The above method combines the qualities of the methods according to the second and fourth 
aspects of the invention, I.e. good mixing of bits and long counter periods, with the overall 
aim of improving unpredictability. 

It should be understood that any feature and functionality described above in connection with 
the second and fourth aspects of the invention may be applied in the method of the present 
aspect of the invention. 

The present aspect of the invention will be further discussed below in connection with Figs. 1- 
5. 

5 CONCURRENT ENCRYPTION AND IDENTIFICATION VALUE GENERATION 

In a further aspect, the invention provides a method of determining an identification value for 
identifying a set of data and for concurrently encrypting and/or decrypting the set of data. 
The method preferably comprises performing numerical computations in a mathematical 
system exhibiting a positive Lyapunov exponent, the method further comprising at least one 
of the following steps: 

- repeatedly performing mathematical computations as iterations in the mathematical 
system, whereby various parts of the set of data or modifications thereof may be used as 
input to the computations, 

- following each computation or a certain number of computations: 

- extracting a resulting number from the computations, the resulting number 
representing at least one of: 

a. at least a part of a solution to the mathematical system, and 

b. a number usable in further computations involved in the numerical solution of the 
mathematical system, 
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- optionally determining an updated value for the identification value based on the 
resulting number, whereby various parts of the set of data or modifications thereof 
may be used as input in the step of determining, 

- encrypting and/or decrypting a certain portion of the set of data based on the 

5 resulting number, 

whereby as many iterations are performed as required for encrypting and/or decrypting the 

entire set of data. 

The use of one or more fixed-point variables may confer advantages related to reproducibility 
10 and computational speed, cf. section B below. By performing encryption/decryption and 
identification value generation concurrently, computational resources may be saved. 

Encryption and/or decryption and determining the identification value may be performed in 
the same process or in distinct processes, i.e. for example in such a way that the entire set of 
15 data is processed in order to obtain an intermediate result which Is then used as an input for 
further computations which yield the Identification value and the encrypted and/or decrypted 
version of the set of data. 

The method may comprise: 

- expressing the mathematical system In discrete terms, 

- expressing at least one variable of the mathematical system as a fixed-point number, 
performing said computations in such a way that the computations include the at least 
one variable expressed as a fixed-point number, fixed-point variables and numbers being 
discussed further above in connection with the first aspect of the invention and in section 
B below. 

The identification value may be further modified following encryption and/or decryption of the 
entire set of data. 

30 Encryption/decryption and determination of the identification value can take place at the 

same lime u r in para l teh The i dentification va l ue ean-be^a-^ash^aUje^a-check-sum or a MAC 
(Message Authentication Code), see the above description. In some cases, the calculation of 
identification value and the encryption process takes place sequentially. However, It can also 
be done In one working process or instance, in parallel or at the same time. This may be 
35 done In order to reduce the number of computations and/or to be able to process a sequence 
of data as it becomes available or is given to an algorithm which embodies the mathematical 
system, or to increase ease-of-use. The identification value can be calculated with or without 
a key. 

The identification value may be related to a specific message, i.e. the message must be used 
as input to the algorithm. Instead of first encrypting the message and then running through 
the entire message again to calculate the Identification value, the two methods may be 
combined, i.e. in each iteration of the mathematical system, a pseudo-random number may 
be extracted and combined with the message in order to encrypt/decrypt, after which the 
identification value may be updated. After each iteration this intermediate Identification value 
may be stored. 
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In the method according to the present aspect of the invention, a mathematical system may 
be defined, the mathematical system exhibiting a positive Lyapunov exponent. The method 
may comprise the following steps: 
5 1. Defining a key/seed value. 

2. Performing computations on the mathematical system, and/or 

3. Performing computations on the mathematical system and the message. 

4. Extracting a pseudo-random number. 

5. Calculating a new intermediate Identification value. 

10 6. Continuing step 2-5 until the entire message has been used In the computations 
performed on the mathematical system and the message. 
7. Calculating the final identification value based on the Intermediate identification value. 

In an alternative embodiment, the method may comprise the following steps: 
15 1. Defining a key/seed value. 

2. Performing computations on the mathematical system and the message. * 

3. Extracting a pseudo-random number. 

4. Continuing step 2-3 until the entire message has been used in the computations 
performed on the mathematical system and the message. 

20 5. Determining the final identification value from variables in the mathematical system. 

In the method, the 

- message may be plaintext or ciphertext, 

- message may be used as Input to some or all of the calculations, 

25 - the pseudo-random number may be used to encrypt/decrypt the message by means of • 
logical and/or arithmetical operations, 

- at least one variable is expressed In fixed-point format. 

In case of a block cipher, no pseudo-random numbers are generated, in which case step 3 
30 above is substituted by the step of manipulating a block or part of message in order to 
encrypt and/or decrypt It. 

In one embodiment, the calculation of the identification value is dependent on a key. 

35 In a mathematical system exhibiting a positive Lyapunov exponent computations may be 
performed using fixed-point arithmetic, whereby a cryptographic key (as described for a 
stream cipher) is used as an initialization value. This key, or part thereof, Is also used to 
initialize the identification value. 

40 The determination of the identification value and encryption of a set of data, message, or 

plaintext, is then performed by 

1. Iterating the mathematical system one step. 

2. Extracting a number of n pseudo-random bits from the system. 

3. Selecting the next n bits of the data, message, or plaintext. 
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4. Using a function, Fh, to obtain. a new value for the identification value, given the 
extracted bits, the selected bits of the data, message or plaintext and the old value of the 
identification value. 

5. Applying the logical XOR function on the n pseudo-random bits and the selected n bits 
5 thereby encryption the selected n bits of the data, message or plaintext.. 

6. Steps 1 through 5 are repeated until all bits are encrypted. 

7. The system may be iterated further to extract more pseudo-random bits. 

8. Further computations may be performed on the identification value to obtain a final 
identification value. 

10 

The^ generated identification value can be combined with the encrypted message, and the 
result can e.g. be transmitted over the Internet to a receiver. 

When decrypting and recalculating the identification value, the algorithm is Initialized In same 
15 manner as for encryption. Then the following steps are performed: 

1. Iterating the mathematical system one step. 

2. Extracting n pseudo-random bits from the mathematical system. 

3. Selecting the next n bits of the encrypted data/message. 

4. Applying the logical XOR function on the encrypted bits to decrypt these. 

20 5. Using a function, to obtain a new value for the identification value, given the 

extracted bits, the bits to be decrypted and the old value of the Identification value. 

6. Repeating steps 1 through 5 until all bits are decrypted. 

7. The system may be iterated further to extract more pseudo-random bits. 
Further computations may be performed on the Identification value to obtain a final 

25 identification value. 

End of Section 5. 

It should be understood that the present invention also extends to any apparatus and to any 
30 computer program for carrying out all the methods of the Invention, including electronic 
device hWpdfating digital signal procesSOTSTThe invention atsa^extends to data derived 
from any method and/or computer program of the present Invention and any signal 
containing such data do also fall within the scope of the appended claims. It should further be 
understood that any feature, method step, or functionality described below in connection with 
35 the further aspects of the invention discussed below may be combined with the method of 
the first aspect of the invention. 

Further features and functions which may be employed In the various aspects of the 
invention, and definitions applicable to the aspects of the present invention, are discussed 
40 below. The below considerations apply, where appropriate, to all aspects/methods of the 
present invention. 

A GENERAL DEFINITIONS AND CONSIDERATIONS 

45 Where in the present context, the term "pseudo-random number" is used, this should be 
understood as a random number which may be generated in a reproducible and/or 
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deterministic way, I.e. in a way that results in the same pseudo-random number being 
generated in two different executions of a pseudo-random number generating algorithm 
when the same key or seed value is used as an input for the pseudo-random number 
generating algorithm in the two executions. 

In general, a mathematical system may comprise a system which expresses certain relations 
between variables. For example, such relations may be constituted by mathematical 
operations, including discrete operations, such as binary and/or logical operations. Thus, 
mathematical operations may comprise multiplication, division, addition, subtraction, 
Involution, AND, OR, XOR, NOT, shift operations, modulus (mod), truncation and/or rounding 
off. 

Numerical computations may Involve computations in which numbers are manipulated by 
mathematical operations. 

A counter is herein defined as a variable which may serve as a parameter In a mathematical 
system. The counter is continuously iterated and updated by means of a mathematical 
function. Such a function may, e.g., be a simple addition, q + i=q+a, where q +1 represents the 
counter value at iteration step 1+1, q represents the counter value at iteration step i, and a a 
number added to c,. The function may alternatively be more sophisticated and include linear 
and/or non-linear operations and/or logical operations. Preferably, the counter varies 
Independently of the mathematical system In which the counter is used as a parameter. 

In the present context, the term "data carrier" or "computer readable data carrier" should be 
understood as any device or media capable of storing data which is accessible by a computer 
or a computer system. Thus, a computer readable data carrier may, e.g., comprise a 
memory, such as RAM, ROM, EPROM, or EEPROM, a CompactFlash Card, a MemoryStick 
Card, a floppy or a hard disk drive, a Compact Disc (CD), a DVD, a data tape, or a DAT tape. 

Signals comprising data derived from the methods of the present Invention and data used In 
such methods may be transmitted via communications lines, such as electrical or optical 
wires oT^ireless^ommunicationmeans using radio or optical transmission. ExampTesare the 
Internet, LANs (Local Area Networks), MANs (Metropolitan Are Networks), WANs (Wide Area 
Networks), telephone lines, leased lines, private lines, and cable or satellite television 
networks. 

In the present context, the term "electronic device" should be understood as any device 
capable of processing data by means of electronic or optical impulses. Examples of applicable 
electronic devices to the methods of the present invention are: a processor, such as a CPU, a 
microcontroller, or a DSP (Digital Signal Processor), a computer or any other device 
incorporating a processor or another electronic circuit for performing mathematical 
computations, including a personal computer, a mainframe computer, portable devices, 
smartcards, chips specifically designed for certain purposes, e.g., encryption. Further 
examples of electronic devices are: a microchip adapted or designed to perform computations 
and/or operations, and a chip which performs binary operations. 
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Processors are usually categorized by: (a) the size of data that Is operated on (b) the 
instruction size and (c) the memory model. These characteristics may have different sizes, 
normally between 4 and 128 bit (e.g. 15, 16, 32, 64 bit) and not limited to powers of two. 

In the present context, the term "processor" covers any type of processor, including but not 
limited to: 

- "Microcontroller", also called "embedded processor". The term "microcontroller" and 
"embedded processor" usually refers to a small processor (usually built with fewer 
transistors than big processors and with limited power consumption). Examples of 
microcontroller architectures are: 

- Z80 

- 8051 (e.g. produced by Intel) 

- CPU8 / 6800 (e.g. 68HC05 68HC08 and 68HC11 e.g. produced by Motorola) 

- CPU 3 2 / 68k (e.g. 68000 Dragonball produced by Motorola) 

- Other processors which are typically used In different kinds of computer and control 
systems, examples of architectures being: t 

- Alpha 21xxx (e.g. 21164, 21264, 21364) 

- AMD x86-64 (e.g. Sledgehammer) 

- ARM (e.g. ARM 10, Strong ARM) 

20 - CPU32 / 68k (e.g. 68000, 68030, 68040 e.g. produced by Motorola) 

- IA32 (e.g. the x86 family produced by Intel (e.g. i486, Pentium), AMD (e.g. K6, K7), 
and Cyrix) 

- IA64 (e.g. Itanium produced by HP/Intel) 

- MIPS (e.g. R4000, R10000 produced by SGI) 
25 - PA-RISC (e.g. 8000, produced by HP) 

- PowerPC (e.g. G3, G4, produced by IBM/Motorola) 

- SPARC (e.g. UltraSPARC II, UltraSPARC III, produced by SUN) 
- DSPs. Examples are: 

- DSP56300 (produced by Motorola) 
30 - MSC8100 (produced by Motorola) 

- TI TMS320C6711 (produced by Texas Instruments). 

In the present context, the term "register* should be understood as any memory space 
containing data, such as a number, the memory space being for example a CPU register, 
35 RAM, memory in an electronic circuit, or any data carrier, such as a hard disk, a floppy disk, 
a Compact Disc (CD), a DVD, a data tape, or a DAT tape. 

It should be understood that the present invention also relates to, In Independent aspects, 
data derived from the methods of the present Invention. It should also be understood that 
40 where the present invention relates to methods, it also relates to, in independent aspects, 

computer programs being adapted to perform such methods, data carriers or memory means 
loaded with such computer programs, and/or computer systems for carrying out the 
methods. 

45 Any and all computational operations involved in the methods of the present invention may 
be carried out on or by means of an electronic device. 
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In one aspect, which constitutes an Independent aspect of the present invention, a method of 
performing numerical computations in a mathematical system comprising at least one 
function, the method comprising the steps of: 

- expressing the mathematical system in discrete terms, 

- expressing at least one variable of the mathematical system as a fixed-point number, 

- performing said computations in such a way that the computations include the at least 
one variable expressed as a fixed-point number, 

- obtaining, from said computations, a resulting number, the resulting number representing 

at least one of: 

- a. at least a part of a solution to the mathematical system, and 

- b. a number usable In further computations involved in the numerical solution of the 
mathematical system, 

the method further comprising: 

- extracting a set of data which represents at least one of: ♦ 

- 1. a subset of digits of the resulting number, and 

- II. a subset of digits of a number derived from the resulting number. ♦ 

A subset of a number may be regarded as a part of that number, such as some, but not 
) necessarily all digits or bits of the number. For example, the 8 least significant bits of a 16-bit 
number may be regarded as a subset of the 16-bit number. 

The term "extracting" covers, but fs not limited to: outputtlng the number or subset in 
question, for example as a keystream or a part of a keystream or as any other final or 
5 intermediate result of a computational process; storing the number or subset In question In a 
register, for example In order to allow for further use thereof, such as for further 
computations, on the subset. 

By extracting a subset of digits of a number instead of extracting the entire number, random 
0 properties are improved In case the method is used in a pseudo-random number generator, 
for example for encryption and/or decryption purposes. Moreover, as only a subset is 
extracted, less Information concerning the internal state of the mathematical system is 
contained in the extracted set of data which enhances the security of an 
encryption/decryption system incorporating the method. 



35 



40 



Though the mathematical system may comprise a continuous system, for example a system 
of differential equations, It may also or alternatively comprise a system which is originally 
defined In discrete terms, for example in the case of a map. The at least one function of the 
mathematical system may be non-linear, as discussed in more detail In section C below. 



Usually, the subset of digits comprises k bits of an m-blt number, ksm, for example 
extracting 8 bits of a 32-bit number. The number from which the subset is extracted and/or 
the extracted set of data may be expressed as one or more binary number, octal number, 
decimal numbers, hexadecimal number, etc. The k bits may be the least significant bits of 
45 the number, or it may be k bits selected from predetermined or random positions within the 
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number from which the bits are extracted. For example, from a 64-bit number, bits Nos. 42, 
47, 53, 55, 56, 57, 61, and 63 may be extracted, or bits Nos. 47-54. 

In the methods of the present invention, one or more computations may be performed as 
floating-point operations. The step of expressing at least one variable of the mathematical 
system as a fixed-point number may thus comprise converting a floating-point type number 
to an integer type number, optionally performing a certain manipulation on the integer 
number, for example truncating it, and converting the integer number back to a floating- 
point type number. 

The methods of the Invention may be applied for encryption and decryption, modulation of 
radio waves, synchronization of chaos in picture and sound signals so as to reduce noise, 
data compression, In control systems, watermarking, steganography, e.g. for storing a 
document in the least significant bits of a sound file, so as to hide the document In digital 
transmission. 

Many SIM-cards and smart cards exhibit weaknesses to power analysis attacks, which 
exploits the fact that the power consumption is directly related to the arithmetic functions 
performed by the processor. To avoid this, a program for executing one of the methods 
described herein may randomly execute some operations which only function Is to disrupt the 
systematic power consumption. The pseudo-random number generator may be used to 
determine the operations to be performed. 

The pseudo-random number generator can be used to generate keys for other encryption 
; algorithms, I.e. asymmetric or public-key algorithms. For example, it could be used to 

generate pseudo-random numbers used to calculate at least one prime number. In this way it 
is possible to generate the public and private key pair used in the RSA algorithm. 

In the present context, the term "resulting number" should be understood as any number 
D occurring in the computations. More than one resulting number may be obtained. The 

resulting number may, as stated above, be a part of the solution to the mathematical system 
and/or an intermediate result, I.e. a number assigned to any variable or parameter of the 
mathematical system or to any other variable or parameter used in the computations. In an 
implementation of a mathematical method, the resulting number or a part thereof may be 
5 extracted, for example as a pseudo-random number for use In an encryption/decryption 

system. Alternatively, one or more mathematical and/or logical operations may be performed 
on the resulting number or on a plurality of resulting numbers, so as to obtain a further 
number which Is extracted. All or only selected bits in a binary representation of the resulting 
number may be extracted. It should be understood that a number generated from selected 
40 bits of a number occurring In the computations may be referred to as the resulting number. 
Thus, the term "resulting number" also covers any part of a number occurring In the 
computations. 

The methods of the invention are, as discussed above, useful in cryptography, for example in 
45 the following Implementations: a symmetric encryption algorithm, a public key (or 
asymmetric key) algorithm, a secure or cryptographic Hash function, or a Message 
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Authentication Code (MAC). These algorithms may, for example, be used in accomplishing 
one or more of the following tasks: 

- Ensuring confidentiality of digital data, so as to protect data from unauthorized access. 

- Ensuring integrity of digital data, so as to ensure that information is accurate or has not 

i 

5 been tampered with. 

- Authorization, e.g. to allow permission to perform certain tasks or operations. 

- Authentication, such as user authentication, so as to verify the identity of another party, 
or data origin authentication, so as to verify the origin of the data. 

- Nonrepudlation, to provide proof of participation In an electronic transaction, for example 
10 to prevent that a first person A sends a message to a second person B and subsequently 

denies that the message has been sent. Digital signatures are used for this purpose. The 
generation of a digital signature may Incorporate the use of a public key algorithm and a 
hash function. 

15 The methods of the invention are also applicable to a so-called Hash function'. A Hash 
function provides a kind of digital fingerprint wherein a small amount of data serves to 
identify other data, usually a set of data which is considerably larger than the aforementioned 
small amount of data. Hash functions are usually public functions wherein no secret keys are 
involved. Hash functions can also provide a measure of authentication and integrity. They are 

20 often essential for digital signature algorithms and for protecting passwords, as a Hash value 
of a password may be used for password control instead of the password Itself, whereby only 
the hash value and not the password itself needs to be transmitted, e.g. via a 
communications network. 

25 A Hash function employing a secret key as an Input Is often referred to as a MAC algorithm or 
a "keyed Hash function". MAC algorithms are used to ensure authenticate and data 
integrity. They ensure that a particular message came from the person or entity from whom 
it purports to have come from (authentication), and that the message was not altered in 
transit (integrity). They are used in the IPsec protocols (cf. RFC 2401 available on 

30 http://www.rfc-editor.org on 6 June 2003), for example to ensure that IP packets have not 
been modified between when they ar^iehTand wfi^rW^ach their final destination. They 
are also used in all sorts of interbank transfer protocols. 

As discussed above, the methods of the invention may be Implemented in a Hash or a MAC 
35 algorithm. A Hash or a MAC algorithm calculates a checksum of an amount of data of an 

arbitrary length, and gives the checksum as a result. The process should be irreversible (one- 
way), and a small change of an input value should result in a significantly different output 
Accordingly, the sensitivity to data input should be high. Whereas a Hash function does not 
use a key as a seed value, a MAC algorithm uses such a key which represents or determines 
40 a seed value for the algorithm, whereby the result depends on the key. Instead of a key, the 
Hash function relies on a constant value, for example certain bits from the number *. 
Alternatively, a part of the data to which the Hash function is applied may be used as a seed 
value. 

45 A Hash/MAC algorithm may be Implemented as follows: 
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- A mathematical system in the form of a logistic map Is used In the algorithm, the logistic 
map having the form: x n+1 =Ax n (l-x„), wherein X Is a parameter. Other chaotic systems 
may be employed, such as the Lorenz system which is discussed in detail hereinafter. 

- As the result of the algorithm should depend on the message m for which the checksum 
is to be' calculated, the message is Incorporated in the system as a component thereof. 
For example, a kind of coupling between the message and the dynamic variable, x, may 
be performed as follows: x n+ i=Ax n (l-x n )+E(x n -m n ). 

- The parameters X and e and the Initial value Xq may be predetermined and/or derived 
from the message. In the case of a MAC algorithm, the parameters A and e and the initial 
value xo may, completely or partially, be determined by the secrete key. 

- The system is iterated until the end of the message is reached. The last calculated value 
of x or part thereof, such as the least significant digits, is denoted, for example, the Hash 
value, the MAC or the checksum. Alternatively, a number of additional Iterations may be 
performed prior to extracting the resulting number. Instead of or In addition to extracting 
the last calculated value of x, certain bits which have been ignored in the'computations 
may be extracted as the Hash value. 

- The way of introducing the message, m, into the dynamical system can be varied. As an 
example, a part of the message may be used to Influence the x-variable In each iteration. 
Such influence may, e.g., be achieved by XORlng certain bits of the message Into the 
least significant digits of x. 

For further details concerning Hash/MAC functions, reference is made to Applied 
Cryptography by Bruce Schneler, Second Edition, John Wiley & Sons, 1996. 

One possible field of use of the method of the methods of the Invention Is public-key 
encryption, also referred to as asymmetric algorithms. The key used for decryption is 
different from the key used for encryption. For example, a key-generation function generates 
a pair of keys, one key for encryption and one key for decryption. One of the keys is private, 
and the other is public. The latter may for example be sent In an unencrypted version via the 
internet. The encryption key may constitute or contain parameters and/or initial conditions 
for a chaotic system. A plaintext Is used to mo dulate toe-c4»aoac-sy^m-which-teJrreversible 
unless initiated by the private key. For decryption, a mathematical system Is used which has 
dyna mics which are inverse to the dynamics of the system used for encryption. 

B FIXED- POINT VARIABLES 

Fixed-point variables are mentioned In section 1 above and will now be further discussed, 
starting from a brief discussion of certain disadvantages related to floating point variables 
which arise in connection with certain cryptographic methods. 

The utilization of floating point variables in the numerical solution of mathematical systems 
may create non-predictable truncation and/or rounding errors. In case of the mathematical 
system to be solved being non-linear, and in particular In case of the system being chaotic, 
the accuracy of the solution at all integration steps is of paramount importance, as a small 
; deviation at one step may confer huge deviations at subsequent steps. If the truncation 
and/or rounding errors are created consistently in the same manner in any and all 
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computations, two solutions based on the same initial conditions are identical, and 
accordingly the computations are reproducible. However, in most cases truncation and/or 
rounding errors of floating point numbers are not entirely controlled by software but also by 
hardware on which the software is running. Accordingly, truncation and/or rounding errors 
are hardware dependent, and consequently truncations and/or roundlngs may be performed 
differently In two different hardware processors. For most computations this is without 
importance, as the truncations and roundings create Inaccuracies of an order of magnitude 
which is far below the required accuracy of the computations. But in the solution of, e.g., 
chaotic systems, a small deviation in the way truncations are performed may confer huge 
deviations in the solution at later computational steps. 

Therefore, with the aim of being able to control, by software, truncation or rounding errors 
created by hardware, the present inventors have proposed the use of fixed-point variables. 

In general, a fixed-point number type Is denoted 4>(a.p) where a Is the number of bits used 
to hold the integer part, and p the number of bits to hold the fractional part. The values of a 
and p, and thus the position of the decimal point, are usually predetermined and stationary. 
The fixed-point number can be either unsigned or sighed, in which case o Is denoted U or S 
respectively. In the latter case, a bit is needed to hold the sign, thus ct+p+1 bits are needed 
20 to hold S(a.p).The range of U(cc.p) is [0;2"-Z*], and the range of S(a.p) fs [-2 a ;2 a -2 p ]. The 
resolution of the fixed-point numbers Is thereby 2*. 

The position of the decimal separator in a fixed-point number is a weighting between digits in 
the integer part and digits in the fraction part of the number. To achieve the best result of a 

25 calculation, It Is usually desired to include as many digits after the decimal separator as 
possible, to obtain the highest resolution. However, it may also be important to assign 
enough bits to the integer part to ensure that no overflow will occur. Overflow is loading or 
calculating a value into a register that Is unabie to hold a number as big as the value loaded 
or calculated. Overflow results in deletion of the most significant bits (digits) and possible 

30 sign change. 

In the various aspects of the present invention, the position of the decimal separator may be 
assigned at design time. To choose the right position, the possible range of the number, for 
which the position Is to be chosen, is preferably analyzed. The most positive and most 
35 negative possible values are determined, and the highest absolute value of the two is 
inserted into the following formula: 
a = celKlog^absCMaxVal))) 
to determine the value of a. 

40 The position of the decimal point may vary between different fixed-point variables. However, 
addition and subtraction operations require input numbers with similar positions. Hence, it is 
sometimes necessary to shift the position of the decimal point. Right shift by n bits 
corresponds to a conversion from o(a.p) to <D(a+n.p-n). Left shift by n bits will convert O(a.p) 
to o(a-n.p+n). Conversion of unsigned numbers Is done by logical shift operations, whereas 

45 arithmetical shifts are used for signed numbers. 
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The mathematical operations addition, subtraction, multiplication and division on fixed-point 
numbers are carried out as plain integer operations. The addition and subtraction operations 
may result in a number of size 0(ct+l.p) because of the carry. However, the result is 
normally truncated to give a number with the same format as the input. 

Multiplication and division do not require arguments with similar positions of the decimal 
separators. However, prior to division, the numerator is expanded as it must have twice the 
length of the denominator and the result. The results will have a format of: S(a.p)-S(c.d) = 
S(a+c+l.p+d) and S(a+c+l.p+d) / S(a.p) = S(c.d). For unsigned multiplication and division 
S(a+c+l.p+d) is replaced by U(a+c.p+d). Exceeding digits in the multiplication compared to 
the predetermined result format are cut off to match the target register size. 

A fixed-point number may be handled by representing the Integer part of the fixed point 
number in one register, and representing the fractional part in another register. 

Further information on fixed-point calculations can be found in "Fixed-Point Arithmetic: An 
Introduction'' by R. Yates (The text can be found at 
http://personal.mla. bellsouth.neVlig/y/a/yatesq/fp.pdf on 6 June 2003). 

20 In the present context, a fixed-point variable Is defined as an Integer type number with an 
Imaginary decimal separator, an integer being defined as a number without digits after the 
decimal separator. Accordingly, real numbers are represented by inserting the Imaginary 
decimal separator (or decimal point) at some fixed predetermined position within an Integer, 
for example four digits from the left. The position might be changed as a consequence of a 

25 mathematical operation on the number. The position may also be forced to be changed by 
use of a logical operation. 

As it occurs from the above discussion, fixed-point numbers are integers, on which a virtual 
decimal separator Is Imposed. The number consists of a so-called "Integer part", referring to 
30 the bits before the decimal separator, and a "fraction part" referring to the bits after the 

decimal separator. In the present context, bits are also ref e rred t o as digits and vice versa. 

In a computer program comprising fixed-point number computations or in an electronic 
circuit or device for performing fixed-point computations, means may be provided for 
determining a suitable location of the decimal separator. Thus, the program, circuit or device 
may, during computations, detect possible overflow and, in the case of a possible overflow 
being detected, change the number of bits on either side of the decimal separator, I.e. the 
location of the decimal separator in a register which stores the variable or variables in 
question. This change may be performed by moving the decimal separator one or more 
positions to the left or to the right. Preferably as many bits as possible are used to the right 
of the decimal separator in order to minimize the number of possible unused bits In the 
register and thereby to obtain an optimal accuracy In the computations. By changing the 
position of the decimal separator, though some computational speed may be lost due to the 
requirement for additional operations for detecting possible overflow, the accuracy of the 
computations Is optimized while the risk of overflow Is eliminated or reduced, without a 
designer or programmer of an application Incorporating the computer program, drcuit or 
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device needing to make considerations concerning accuracy and overflow In a design or 
programming phase. Alternatively, or additionally, a test program may be provided which 
determines when or where In the computations overflow will occur or Is likely to occur, so 
that a programmer or designer of the program may fix the position of the decimal separator 
In one or more variables such that no overflow occurs, whereby, in the final implementation, 
no determination of possible overflow is needed. However, the determination of possible 
overflow may also be incorporated In the final implementation as an additional safeguarding 
feature. Further, the programmer or designer may choose to Implement changing of the 
decimal separator at fixed, predetermined stages in the computations. 



10 



As discussed above, a real number may be expressed by means of one or more fixed-point 
numbers. Likewise, a complex number, c=a+lb, where l 2 =-l, may be expressed by means of 
one or more fixed-point numbers, e.g. by expressing the real part a and/or the imaginary 
part b as a fixed-point number. In case only one of the real and imaginary parts Is expressed 
15 as a fixed-point number, the other one may be expressed by means of any other type of 
number, such as a floating-point or an integer number. t 

In the methods according to the invention, the computations involving the variable expressed 
as a fixed-point number may possibly include computations on other types of variables, 
20 including one or more variables expressed as other kinds of numbers, such as floating point 
numbers and integer numbers. 

» 

The use of fixed-point numbers has the advantage over floating-point numbers that rounding 
and/or truncations errors occurring in fixed-point number computations are identically 
25 defined on all processors. By use of fixed-point variables, decimal numbers may be expressed 
as Integer type numbers where an imaginary decimal separator is placed In the number. In 
cases where floating-point variables are used, truncation/rounding errors are not performed 
identically on different types of processors. 

• 

30 As a consequence of truncation/rounding errors being controllable or predictable, numerical 
computations In mathematical systems which are sensible to truncation/rounding errors may 
be performed in a reproducible manner. Thus, for example, non-linear systems, in particular 
chaotic systems, may be numerically solved In a reproducible manner. This opens up for 
utilizing chaotic systems in pseudo-random number generators, such as in 
35 encryption/decryption algorithms, without the need for feed-back or correction algorithms or 
registers In order to prevent Inaccuracies, or without the need for synchronization techniques 
ensuring identical solution of the systems In encryption as in decryption. This in turn 
contributes to the computations, the pseudo-random number generation and/or the 
encryption/decryption algorithm being fast as compared to algorithms Involving such feed- 
40 back or correction algorithms or synchronization techniques. Further, there Is no need for 
transmission of synchronization data with the encrypted data, such synchronization data 
often amounting to a size comparable to the size of the encrypted data, which may be a 
major problem due to, e.g., lack of bandwidth when transmitting data via the Internet. 
Further, transmission of such data compromises the security of the system. The 
45 computations are also performed faster than computations in methods Involving a floating- 
point variable for the variable In question, as In computations involving fixed-point numbers 
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the hardware processor performs computations as Integer number computations, 
computations on integer number being generally faster than computations on floating-point 
numbers. 

5 

C APPLICABLE MATHEMATICAL SYSTEMS AND COMPUTER IMPLEMENTATION THEREOF, 
IN PARTICULAR WITH A VIEW TO CRYPTOGRAPHIC APPLICATIONS 

In the methods described herein/the mathematical system may be a discrete or a continuous 
10 system. Various types of mathematical systems are discussed below. 

The computations may involve at least a first and a second fixed-point number, each fixed- 
point number having a decimal separator, wherein the decimal separator of the first fixed- 
point number is positioned at a position different from the position of the decimal separator 
15 of the second fixed-point number. The decimal separator of the first and second fixed-point 
number may be positioned at selected positions. 

The resulting number may be expressed as a variable selected from the group consisting of: 
an Integer number, 
20 a floating point number, and 
a fixed-point number. 

In general, the mathematical system may comprise one or more differential equations, or 
one or more discrete maps or mappings. In the case of differential equations, the 
25 mathematical system may comprise one or more ordinary differential equations and/or one 
or more partial differential equations. In the case discrete mappings, the mathematical 
system may comprise one or more area-preserving maps and/or one or more non area- 
preserving maps. At least one function of the mathematical system may be non-linear. 

30 The method is also applicable to other types of functions or equations, including integral 

equations. The at least one non-linear differential equation or mapping may exhibit chaotic 

behavior, i.e. It may have at least one positive Lyapunov exponent, in which case the method 
may comprise computing a Lyapunov exponent at least once during the mathematical 
computations. In case of a mathematical system exhibiting chaotic behavior, the method may 

35 advantageously be applied in a pseudo-random number generating method, such as in an 
encryption/decryption method. At least one Lyapunov exponent may be computed at least 
once during the mathematical computations In order to determine whether the mathematical 
system exhibits chaotic behavior. If this is not the case, e.g. if the computed Lyapunov 
exponent is not positive, the computations may be interrupted and resumed from other initial . 

40 values and/or other parameters. 

* 

• The at least non-linear differential equation or mapping preferably governs at least one state 
variable, X, which may be a function of at least one independent variable, t. 

45 More specifically, the mathematical system may comprise one or more of the following 
systems: 

SUBSTITUTE SHEET 



WO 03/104969 



PCT/DK03/00375 



33 

- continuous differential equations, Including: 

- partial differential equations, such as the Navler-Stokes equations, 

- ordinary differential equations, including: 

- autonomous systems, such as dlssipative flows, including the Lorenz system, 
5 coupled Lorenz systems, the Rossler system, coupled Rdssler systems, hyper 

chaotic Rossler system, the Ueda system, simplest quadratic disslpative chaotic 
flow, simplest piecewise linear disslpative chaotic flow 

- Hamiltonian systems, Including the N body problem from celestial mechanics, for 
I\te3, 

10 - Non-autonomous systems, Including forced systems, such as the forced Duffing's 

equation, forced negative resistance oscillator, forced Brusselator, forced damped 
pendulum equation, coupled pendulums, forced double-well oscillator, forced Van 
de Pol oscillator, 

- delay differential equations, including delay logistic equation, population models, 

15 - Discrete mappings, including 

- area preserving as well as non area-preserving maps, including 

- maps which are piecewise linear In any dimension, such as a tent map, an 
asymmetric tent map, 2x modulo 1 map, and also the Anosov map, the 
generalized Baker's map, the Lozi map, as well as higher order generalizations 

20 and/or couplings of piecewise linear maps 

- polynomial maps (quadratic or higher), including a logistic map, the H6non map, 
higher order generalizations and/or couplings of polynomial map, e.g. N coupled 
logistic maps, N coupled Henon maps, 

- Trigonometric maps, Including a Sine circle map, a Sine map, the Chlrikov 

25 standard map, the Sinai map, the standard map, and Higher order generalizations 

and/or couplings of trigonometric maps, 

- other maps, including the Bernoulli shift, a decimal shift, the Horseshoe map, the 
Ikeda map, a pastry map, a model of a digital filter, a construction of the Henon 
type map in two dimensions from an arbitrary map in one dimension, the 

30 DeVogelaere map, 

- Cellular automata, 
Neural networks. 



35 



The Rossler system referred to above has the form: 
dy 

dt =x+ay 

f = b + z(x-c) 

wherein typical parameter values are: a = b = 0.2, c = 5.7. The Rossler system Is described 
In more detail In O.E. Rossler, Phys. Lett. 57A, 397-398 (1976). 



The H6non map referred to above has the form: 

Ly-iJ L bx n J 
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wherein typical parameter values are: a = 1.4, b = 0.3. For more details, see M. Henon, 
Commun. Math. Phys. 50, 69-77 (1976). 

A logistic map of the form Xn + i=nXn(l-x n ) may be employed. The Anosov map, often referred 
to as the cat map having the form: 



may also be used. 

The map is composed of two steps; I) a linear matrix multiplication, il) a non-linear modulo 
operation, which forces the iterates to remain within the unit square. It is possible to 
generalize the Anosov maps to an arbitrary number of variables. Furthermore, the matrix 
may have arbitrary coefficient only limited by the requirement of being area-preserving and 
having at least one positive Lyapunov exponent for the system. These exponents can be 
calculated analytically for such systems. For more details, reference is made to A J. 
Uchtenberg and M.A. Lieberman, Regular and Chaotic Dynamics, Springer 1992 (p.305). 

Systems of arbitrarily high dimension may be constructed by coupling systems of lower 
dimensions, referred to as subsystems. The subsystems can be Identical or different. They 
can e.g. be different by using different parameters In the various subsystems, and/or they 
may, be different by employing different equations. The coupling can be a function of one or 
more of the state variables in the individual subsystems. Several types of coupling exist, 
Including local and global coupling. 

Local coupling Implies that the individual subsystems are affected through a coupling by 
some but not all the subsystems in the entire system. Examples of local couplings are 
unidirectional and bi-directional coupling, which implies that the coupling is a function of one 
and two subsystems, respectively. By use of these types, map lattices can by constructed. An 
example of such a system with a local unidirectional copuling is the following /V-dimensional 
system: 
*i->/i(*i)+*t**> 

* 
■ 

X N + e N X N-l' 

where f ltmN are mathematical functions and s ltmN are coupling constants. The mathematical 
functions and coupling constants may be different for each subsystem. 

A usual choice of local coupling can be the diffusive coupling, referring to a type of coupling 
proportional to the difference between two subsystems. This can be defined as: 
x -* f(x)+e(x-Yi 

where X and rare two subsystems of at least dimension one and e is a matrix of coupling 
constants. 

The term global coupling refers to situations where all subsystems are coupled to each other, 
sometimes termed an ail-to-all coupling. This can, for Instance, be achieved by letting the 
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coupling be a function of the mean field, I.e. the average of all the subsystems. This Is 
defined by: 

X->f(X) + E i£ X «' 

where X is a subsystem of at least dimension one and e Is a coupling constant. 

5 

Furthermore, the coupling function can be any linear or non-linear function of the 
subsystems. 

An example of a local bi-directional coupling is given In the following equation: 

10 

x, f (x,) + e[x lTl - (l + y)x, + YX, +1 1 1 e [l, M] . 

Another type of local coupling is the unidirectional local coupling, where a given state Is 
coupled to one of its neighbouring states. This can for example be defined as: 

15 x, -+fW+«gk M >i«M] 

where g is either a linear or non-linear function. For the linear case, the system is simply 
defined by: 

x, -+ f(x,)+sx ui ,i e [l,M] 

20 Furthermore global coupling can be applied, i.e. each Individual system is coupled to all other 
systems. This could be done in the following way: 
X, -> f(x,)+ eg(x 1/ x 2/ x 3 .. JC M ),l e [l,M] 

where g Is a function of all states in the system and g can be a linear or nonlinear function. 
Furthermore g can be a linear or nonlinear function of a subset of the M states. 

25 

Further, a map lattice which is a type of coupled maps may be employed. In the example 
below, Xi denotes a variable on a lattice (represented by an N-dlmensional array of points), 
the lattice being a ID array with M points. Each point on the lattice is updated according to 
the^unctlon on the right hand side of the arrow, where the function f may for example be the 
30 logistic map. As is seen, neighbouring points on the lattice couple linearly, where the linear 
coupling Is adjusted by the parameters y and e. Boundary conditions refer to the way lattice 
elements 1 and M are treated. 

x, f (x,) + sl?^ - (l + yjx, + yx ui l i e [l,M] . 

35 

Finally, certain simple 3D flow equations may be employed, the systems consist normally of 
fewer terms than the Lorenz and Rossler systems. That is, either five terms and two 
nonlinearities or six terms and one nonllnearlty. In comparison the Lorenz and Rossler 
systems each consist of seven terms, cf. 1 C. Sprott. Phvs. Rev. E 50, R647-R650 (19,94). 
40 Appropriate systems are given in the below list: 

dx/dt = y, dy/dt = -x + yz, dz/dt = 1 - y 2 

dx/dt = yz, dy/dt = x - y, dz/dt = 1 - xy 

dx/dt = yz, dy/dt = x - y, dz/dt = 1 - x 2 
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dx/dt = 
dx/dt = 
dx/dt = 
dx/dt = 

5 dx/dt = 
dx/dt = 
dx/dt = 
dx/dt = 
dx/dt - 
10 dx/dt = 
dx/dt = 
dx/dt = 
dx/dt = 
dx/dt = 

15 dx/dt - 
dx/dt = 



-y, dy/dt = x + z, dz/dt = xz + 3/ 
yz, dy/dt = x 2 - y, dz/dt = 1 - 4x 
y + z, dy/dt = -x + 0.5y, dz/dt - x 2 - z 
0.4x + z, dy/dt = xz - y, dz/dt = -x + y . 
-y + z 2 , dy/dt = x + 0.5y, dz/dt = x - z 
-0.2y, dy/dt = x + z, dz/dt = x + y 2 - z 
2z, dy/dt = -2y + z, dz/dt = -x + y + y 2 
xy - z, dy/dt = x - y, dz/dt = x + 0.3z 
y + 3.9z, dy/dt = 0.9X 2 - y, dz/dt = 1 - x 
-z, dy/dt = -x 2 - y, dz/dt = 1.7 + 1.7x + y 
: -2y, dy/dt = x + z 2 # dz/dt = 1 + y - 2x 
: y, dy/dt = x - z, dz/dt = x + xz + 2.7y 
= 2.7y + z f dy/dt = -x + y 2 , dz/dt = x + y 
= -z, dy/dt » x - y, dz/dt = 3.1x + y 2 + 0.5z 
= 0.9 - y, dy/dt = 0.4 + z, dz/dt = xy - z 
= -x - 4y, dy/dt = x + z 2 , dz/dt = 1 + x 



A further mathematical system Is described below with reference to Fig. 28 , cf. the below 
description of the drawings. 

The Lorenz system comprises the following differential equations: 
dy 

^ = xy-bz, 
dt 

wherein X=(x, y, z) are state variables, t is the Independent variable, and a, r and b are 
parameters. 

In case the following conditions are fulfilled: 



(a-b-i)>0 



(o + b + 3) 
, r >1 , r >a} - — 



a,r,b > 0, 



(a-b-1)' 

the stationary points of the Lorenz system are not stable, in which case the Lorenz system Is 
likely to exhibit chaotic behavior. The parameters may be constant or variable, variable 
30 parameters contributing, e.g., to the results of the computations being more unpredictable 
which may be useful in a pseudo-random number generating method or in an 
encryption/decryption method. 

In the case of a non-linear mapping, the computations may comprise numerically iterating 
35 the non-linear function, the Iteration being based on an initial condition X 0 of the state 
variable X. 
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The step of performing computations may comprise numerically integrating the non-linear 
differential equations by repeatedly computing a solution Xn+i based on one or more previous 
solutions X m/ msn+1, and a step length, AT n , of the independent variable, t. Preferably, at 
least one initial condition, X 0 , of the state variable, X, and an initial step length, AT 0 , are 
provided. The step length may be given before the computations are initiated, or it may be 
computed as the computations proceed. For example, the Initial step length, AT 0 , may be 
computed from the Initial condition Xo. 

The step length may vary between equations in a system. It may for example differ from one 
equation to another. The step length vector AT is used to represent the step length for each 
equation in the system. The AT vector has the same dimension as the system. 

In a discretized formulation of the Lorenz system, the solution X n+i may be computed using 
the step length AT=(Atx, n , Aty, n , Atz,„) as follows: 

Xnrt-Xn+^-xJJ-At^ 
Y n+ 1 = Yn + (X n (r - Z n ) ~* Yn) * Atyj, 
*n*l = Zn + (X„Y„ - bZ n ) • At l<n , 

wherein: 

Atx, n is the step length used In the computation of x«+i, 
Aty #n is the step length used in the computation of y n +i, 
At z , n is the step length used In the computation of z„ + i. 

As mentioned above, the step length AT may be constant or may vary throughout the 
computations. For example, In each or In some of the integration steps, at least one of the 
elements (At*,,,, Aty, n , At z , n ) of the step length AT may be a function of one or more numbers 
Involved in or derived from the computations. Also, In each Integration step, at least one of 
the elements (At x , n , At v , n , At Zr „) of the step length AT may be a function of at least one 
solution, X m , which Is a current or previous solution to the mathematical system. In each or 
some of the integration steps, at least one of the elements (At x , n # Aty, n , At^) of the step 
length AT is a function of at least one step length, AT m , which is a current or previous 
integration step. The varying step length AT may be used in any numerical solution of 
differential equations, and accordingly -there is disclosed a method of numerically solving 
differential equations using a variable step length. In a pseudo-random number generating 
method, such as In an encryption/decryption method, the variable step length may contribute 
to improving the security of the system, I.e. to make the resulting keystream more 
unpredictable. 

In a pseudo-random number generating method, the Initial condition Xo and/or the initial step 
length AT 0 may be calculated from or represent a seed value. In an encryption/decryption 
method, at least a part of the Initial condition X 0 and/or at least a part of the initial step 
length AT 0 may be calculated from or represent an encryption key. Also, at least a part of at 
least some of the parameters of the mathematical system may be calculated from or 
represent a seed value or an encryption key. The key may be a public or a private key. 
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The extracted set of data may comprise a pseudo-random number which may be used for 
encryption. A plurality of numbers resulting from the computations may be extracted. The 
step of extracting may comprise extracting one or more numbers derived from a number, k, 
of bits of the resulting number, such as the k least significant bits from the resulting number 
or numbers, which contributes to the unpredictability of the derived number. The k bits 
extracted may for example be derived by applying a modulus or a logical "and" function to 
the resulting number or numbers. As an alternative to extracting the k least significant bits, 
the step of extracting may comprise extracting k bits at predetermined or variable positions 
In the resulting number. The number k may be an Integer value selected from In the range 
between 8 and 128, such as 16-64, such as 24-32. In case a plurality of numbers are 
extracted, the extracted numbers may be derived by means of different values of k, which 
further contributes to the unpredictability of the derived number. The extracted number or 
numbers may be manipulated by means of arithmetic and/or logical operations, so as to 
obtain a combined set of data. One or more of the extracted numbers and/or the combined 
i set of data may be combined with original data in an arithmetic and/or logical operation, so 
as to encrypt the original data. Similarly, one or more of the extracted numbers and/or the 
combined set of data may be combined with encrypted data in a arithmetic and/or logical 
operation, so as to decrypt the encrypted data and obtain the original data. The arithmetic 
and/or logical operation may comprise an XOR operation, multiplication or addition. For 
D example, the arithmetic and/or logical operation may comprise addition of the original data 
and the combined set of data for encryption, and subtraction of the combined set of data 
from the encrypted data for decryption. Alternatively, the arithmetic and/or logical operation 
comprises subtraction of the combined set of data from the original data for encryption, and 
addition of the combined set of data and the encrypted data for decryption. It may be 
5 necessary to apply a modulus function when subtracting or adding numbers. In case the 

extracted set of data comprises data derived from a plurality of numbers, one set of bits, for 
example the k least significant bits may be extracted from one number, whereas other bits, 
for example the 47th - 54th bit in a 64-bit number, may be extracted from the other number. 

30 In a block-cipher encryption/decryption system, the computations may Involve data 

representing a block of plaint ext, so that the plaintext and a key Is entered into, e.g., an 
encryption system which gives the clphertext as an output. The extracted set of data may be 
used to define at least one operation on a block of plaintext in the block-cipher encryption 
and decryption system. The methods described herein may be applied in a block-cipher 

35 algorithm, wherein a block of plaintext Is divided into two sub-blocks, and one sub-block Is 
used to Influence the other, for example where a modified version of a first block (or a part 
thereof) is used to influence the other (or a part thereof), e.g., by an XOR function. Such an 
algorithm is generally referred to as a Feistel Network, cf. Applied Cryptography by Bruce 
Schneier, Second Edition, John Wiley & Sons, 1996. In such case the first sub-block or the 

40 modified version thereof may be transformed by a Hash function relying on the method, the 
Hash function being given a cryptographic key as an input. In each round, a new 
cryptographic key may be given as input to the Hash function. Alternatively, the same 
cryptographic key may be given to the Hash function in all rounds. As a further alternative, 
the cryptographic key may vary from block to block, for example by giving the same 

45 cryptographic key as an input in all rounds for each block, or by giving different cryptographic 
keys as inputs for each block and for each round. 
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The extracted data may be used as a decryption or an encryption key. In a system, wherein 
computations are performed in two mathematical systems, the extracted set of data from 
one of the systems may be used to generate keys or used as keys for the other system. The 
5 extracted data may also be used In generation of data representing a digital signature, 
and/or In watermarking of digital data. 

In the methods described herein, the electronic device may comprise an electronic processing 
unit having a register width, whereby the method may comprising the steps of: 
10 - expressing at least one integer number of a bit width larger than said register width as at 
least two sub-numbers each having a bit width which Is at most equal to said register 
width, 

- performing at least one of said computations as a sub-computation on each of the sub- 
numbers so as to arrive at at least two partial results, expressed as integer numbers of a 

15 bit width smaller which is at most equal to the register width of the processing unit, 

- concatenating the partial results to yield a representation of a result of said at least one 
computation. 

Analogously, computations on numbers of a width smaller than the register width of the 
processor may also be performed, whereby an operation, for example a logical AND, may be 
20 performed, so that the upper half of, e.g., a 64-blt register is not used for computations on 
32-bit numbers. In order to maintain the sign of the number in question, the most significant 
bit of, e.g., the 32-bit number may be copied into the upper 32 bits of the 64-blt register. 

The integer numbers usually comprise or represent the fixed-point number or numbers used 
25 In the computations. A fixed-point number expressed In terms of an integer type number 
may represent a real number. 



D DETECTION OF PERIODIC BEHAVIOR 

30 A method of detecting periodic behavior in the solution of a mathematical system comprising 
at least one non-linear function governing at least one state variable with respect to at least 
one Independent variable, comprises: 

- expressing the mathematical system In discrete terms, 

- performing computations so as to obtain resulting numbers, the resulting numbers 
35 3representing at least parts of solutions to the mathematical system, 

- storing selected solutions In an array, A, in a memory of the electronic device, the array 
being adapted to store a finite number, n+1, of solutions, 

- determining whether at least one of: 
- a current solution, and 

40 - a particular one of said solutions stored In the array 

Is substantially Identical to another solution stored In the array. It should be understood that 
this method constitutes an Independent aspect of the present Invention. 
The steps of performing computations, storing selected solutions, and determining may be 
performed continuously during the computations, I.e. repetitively during the computations, 

45 such as in each computational step, such as in connection with each Iteration. 
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If a current solution or a particular one of the solutions stored in the array is substantially 
identical to one or more other solutions stored in the array the solution of the mathematical 
system is likely to show periodic behavior. In case one of the methods described herein Is 
used in a pseudo-random number generating method, in particular if It Is used In an 
5 encryption/decryption method, such periodic behavior is undesirable, as It negatively 

influences the unpredictability of the generated pseudo-random numbers or the keystream. 
By applying the above method, periodic behavior may be detected. 

The step of determining whether a current solution or a particular one of the solutions stored 
10 in the array is substantially identical to one or more other solutions stored In the array 
preferably comprises determining whether the solutions are completely Identical. When 
solving a mathematical system expressing an array of state variables X, the step of 
determining may comprise determining whether only some of the entries of X are 
substantially identical. 



15 



In order to save computational time and/or memory, only selected solutions may be stored In 
the memory. 



In the method, each entry in the array may contain a solution having an age which Is 
20 growing by array level, A,, 0<£ten, and the method may comprise: 

- at the step of storing selected solutions in the array: storing a current solution at the 0'th 
level, A 0 , in the array, A, thereby overwriting an old value stored at the 0'th level in the 
array, A, 

- if a 0'th predetermined criterion is fulfilled: transferring the old value to the l'st level in 
25 the array, A, before the 0'th level is overwritten by the current solution, and 

for the 1st level and each further level I in the array: 

- if an I'th predetermined criterion for level I is fulfilled: transferring the old value stored at 
the I'th level to the i+l'st level In the array, A, before the i'th level is overwritten by the 
value transferred from the i-l'st level, 

30 if the n'th level Is to be updated: discarding the old value previously stored at the n'th level. 

FoFeaarievel7T,ln thenar ray, the number of times an old value stored at the I'th level has 

been overwritten by a new value without the old value being transferred to the l+l'st level 
may be counted, the I'th predetermined criterion being fulfilled if the old value has not been 
35 transferred for a predetermined number of times. The predetermined number of times may 
be the same for all levels of the array, A, or it may vary between the levels. The 
predetermined number of times for the i'th level of the array. A, may for example be 
dependent on one or more values stored in the array, such as when there occurs a change of 
sign in one or more of the values. 

40 

The step of 

determining whether a current solution or a particular one of said solutions stored In 
the array is substantially Identical to one or more other solutions stored In the array 

may only be performed when a test criterion is fulfilled. For example, the test criterion may 
45 be fulfilled when the sign of at least one state variable changes from + to -, or from - to +, 

or both. The test criterion may also be fulfilled when there occurs a change of sign of at least 
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one derivative of at ieast one state variable with respect to at least one independent variable, 

In which case the method further comprises computing the derivative. 

■ 

In the method, a test value may be computed from the at least one state variable and/or 
from the derivative, the test criterion being based on the test value. The test criterion may 
for example be fulfilled when there occurs a change of sign in the test value or in a derivative 
of the test value, or predetermined values may be provided. 

E PSEUDO-NUMBER GENERATION AND ENCRYPTION/ DECRYPTION 

A method of generating a pseudo-random number, comprises: 

I) expressing a mathematical system In discrete terms, 

II) defining a seed value representing at least an initial condition for the mathematical 
system, 

III) expressing at least one variable of the mathematical system as a fixed-point number, 

IV) performing computations including the at least one variable expressed as a fixed-point 
number and obtaining, from said computations, a resulting number, the resulting number 

representing at least one of: * 

a. at least a part of a solution to the mathematical system, and 

b. a number usable In further computations involved in the numerical solution of the 
mathematical system, 

V) extracting, as the pseudo-random number, a number derived from at least one number 
which has occurred during the computations. This method constitutes an independent aspect 
of the present invention. 

The seed value may be a user-defined value, such as an encryption/decryption key in case 
the method is applied in an encryption/decryption method. 

The pseudo-random number may be extracted as a number derived from the k digits of the 
one or more numbers which have occurred during the computations, e.g. the. k least 
significant bits or k selected bit from the one or more numbers. 

The method may comprise repeating steps IV) and V) until a given amount of pseudo- 
random numbers has been generated. 

A given amount of pseudo-random numbers may be generated and stored in a memory of 
the electronic device as a spare seed value, which may, e.g., be used if periodic behavior is 
detected by the above method or by another method. The given amount of pseudo-random 
numbers may be stored internally In an algorithm. 

The method may further comprise a method for detecting periodic behavior as discussed 
above. In that case the method for generating a pseudo-random number may comprise, if 
the step of: 

determining whether a current solution or a particular one of said solutions stored in 
the array is substantially identical to one or more other solutions stored in the array 
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reveals that the current solution or the particular solution Is Identical to one or more other 
solutions, 

Interrupt the pseudo-random-number generation, I.e. Interrupting repetition of steps IV) and 
V), 

use the spare seed value as the seed value In the step II), 

resume the pseudo-random-number generation, I.e. resuming repetition of steps IV) and V). 

Thus, for example, In an encryption/decryption method, a spare encryption/decryption key 
may be used If periodic behavior Is detected. 

Prior to the step of resuming the pseudo-random number generation, a given amount of 
pseudo-random numbers may be generated and stored, In a memory of the electronic device, 
as a new spare seed value. Each level in the array, A, is preferably reset prior to step IV), 
when steps IV) and V) are Initiated with a new seed value at step II). 



A method of encrypting a set of original data Into a set of encrypted data, comprises the 
steps of: 

A) generating a pseudo-random number by performing the steps of: 
I) expressing a mathematical system In discrete terms, 
20 II) defining an encryption key representing at least an Initial condition for the 

mathematical system, 

III) expressing at least one variable of the mathematical system as a fixed-point 
number, 

IV) performing computations Including the at least one variable expressed as a fixed- 
25 point number and obtaining, from the computations, a resulting number, the resulting 

number representing at least one of: 

a. at least a part of a solution to the mathematical system, and 

b. a number usable In further computations involved In the numerical solution of the 

mathematical system, 

30 V) extracting, as the pseudo-random number, a number derived from at least one 

number which has occurred during the computations, 
B) manipulating the original data and the pseudo-random number by means of at least one 

of: 

1. an arithmetic operation, and 

35 11. a logical operation, 

so as to obtain a combined set of data, the combined set of data being the encrypted data. 

Prior to step A), a sub-set of the original data may be separated from the set of data, and 
step B) may be performed on the sub-set of data. This step may be repeated until a plurality 
40 of sub-sets which In common constitute the entire set of original data have been encrypted. 

The pseudo-random number may be extracted as a number derived from the k bits of the 
one or more numbers which have occurred during the computations, e.g. the k least 
significant bits or k selected bits. 
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Steps IV) and V) may be repeated until a given amount of pseudo-random numbers has been 
generated. 

A given amount of pseudo-random numbers may be generated and stored in a memory of 
5 the electronic device as a spare encryption key. For example, a number resulting from or 

occurring In at least one integration or iteration step of the computations may be stored as a 
spare encryption key. The spare encryption key may> e.g., be used if encryption is 
interrupted due to the occurrence of periodic behavior in the solution to the mathematical 
system. In case no output of the spare encryption key is needed, it may be stored internally 
10 in an encryption algorithm. When the method is used for decryption, the spare key is a 
decryption key. 

As It appears from the above, the method may comprise a method for detecting periodic 
behavior, in which case the method for encrypting may comprise, if the step of 
15 determining whether a current solution or a particular one of said solutions stored In 

the array is substantially identical to one or more other solutions stored In the array 
reveals that the current solution or the particular soiutlon Is identical to one or more other 
solutions, 

interrupt the pseudo-random number generation, I.e. interrupting repetition of steps IV) and 
20 V), 

use the spare encryption key as the encryption key in step II), 

resume the pseudo-random number generation, i.e. resuming repetition of steps IV) and V). 

Prior to the step of resuming the pseudo-random number generation, a given amount of 
25 pseudo-random numbers may be generated and stored in a memory of the electronic device 
as a new spare encryption key. 

Preferably, each level In the array, A, is reset prior to step IV), when steps IV) and V) are 
initiated with a new seed value at step II), 

30 

A method of decrypting a set of encrypted data which has been encrypted by the method 
discussed above7~comprises-the^steps of: — 

a) performing step A) as defined above in connection with the encryption method, so as to 
extract the same pseudo-random number as extracted in step V) of the encryption method, 
35 b) manipulating the encrypted data and the pseudo-random number by means of arithmetic 
and/or logical operations, so as to obtain the original, i.e. decrypted, version of the data. 

Prior to step a), a sub-set of the encrypted data may be separated from the set of encrypted 
data, and In case the sub-set of data has been encrypted by the above encryption method, 
40 the method of decrypting may comprise performing steps a) and b) on the sub-set of data. 
This step may be repeated until a plurality of sub-sets which in common constitute the entire 
set of encrypted data have been decrypted. 

Any of the steps of the encryption method may be applied in an identical manner when 
45 decrypting the encrypted data as during the previous sequence of encrypting the original 
data. 
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F PROCESSING IN A PLURALITY OF INSTANCES IN PARALLEL 

A method of generating a pseudo-random number, comprises, In one instance: 

I) expressing a mathematical system in discrete terms, 

II) defining a seed value representing at least an initial condition for the mathematical 
system, 

III) expressing at least one variable of the mathematical system as a fixed-point number, 

IV) performing computations including the at least one variable expressed as a fixed-point 
number and obtaining a resulting number, the resulting number representing at least one of: 

a. a part of a solution to the mathematical system, and 

b. a number usable in further computations involved in the numerical solution of the 
mathematical system, 

V) extracting, as the pseudo-random number, a number derived from at least one number 
which has occurred during the computations, ♦ 
performing steps I) - V) in a plurality of instances in parallel. This method constitutes an 
independent aspect of the present Invention. . 

Computations in the two or more instances may be performed either at the same time, or 

» 

successively. Thus, the computations In the two or more instances may be performed by 
executing instructions which process a plurality of computations at the same time, or by 
executing instructions which only process a single computation at a time. 

Thus, pseudo-random number generation In a plurality of instances In parallel may, In some 

cases, be faster than If the steps are performed in one instance only, in particular if the 

.- 

hardware on which the method is executed supports parallel processing. Further, by coupling 
the two or more instances, a larger key length in encryption may be applied than if only one 
Instance were used. For example, one part of an encryption key may be used for a first 
Instance, and another part of the encryption key may be used for a second instance. 

Mathematical systems of arbitrarily high dimension may be constructed by coupling systems 
of lower dimension, referred to as subsystems. For example, N logistic maps can be coupled, 
yielding an N-dimensional system. The coupling mechanism can be engineered by including 
either linear or non-linear coupling functions In the N different maps corresponding to the N 
different variables. The coupling function In the map governing one variable may or may not 
depend oh all other variables. Alternatively, the coupling can be carried out by substituting 
one of the N variables Into one or more of the N-l remaining maps. 

Two or more logistic maps may be coupled through linear coupling terms. In the example 
shown below, the parameters s x and e 2 in front of the coupling terms control the strength of 
the coupling, i.e. the degree of Impact that each one of the two logistic maps has on the 
other one. 

Yn*i J l>2Yn(l - Yn)+ e 2 (x n - y n )J 
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Numbers or data may be transmitted between the plurality of instances at least while; 
performing step IV) for each of the instances. The same applies to step V). 

The method may comprise combining, by use of arithmetic and/or logical operations, a 
plurality of pseudo-random numbers extracted at step V) in each of the instances into a 
common pseudo- random number. 

Parameter and/or variable values, or parts thereof, may be exchanged between the two 
instances. Thus, for example x n+i of one instance and Xn +1 of another instance may be 
exchanged after each iteration step, or x n+1 of one instance may be exchanged with y n+1 of 
another instance. Likewise, the step length At,, may be exchanged between the two 
instances. The exchange of variable or parameter values may also be achieved by performing 
logical and/or arithmetic operations on a value of a first instance before using that vaiue for 
modifying a value of a second instance. 

G USING A CRYPTOGRAPHIC KEY AS AN INPUT TO A MATHEMATICAL SYSTEM 

A method of performing numerical computations In a mathematical system comprising at 
least one function, may comprises the steps of: 

- expressing the mathematical system in discrete terms, 

- expressing at least one variable of the mathematical system as a fixed-point number, 

- performing said computations in such a way that the computations include the at least 
one variable expressed as a fixed-point number, 

- obtaining, from said computations, a resulting number, the resulting number representing 
at least one of: 

a. at least a part of a solution to the mathematical system, and 

b. a number usable In further computations involved in the numerical solution of the 
mathematical system, 

the step of performing computations comprising: 
._- repea tedly c omp uting a solution X n+ i based on at least one previous solutions X m „ m^n+1, 

whereby the step of performing computations is initiated based on at least one initial 

condition, X 0 , of the state variable, X, 
the method further comprising: 

- providing a cryptographic key as an input to said computations, whereby the 
cryptographic key is used in generation of the initial condition X 0 . This method constitutes 
an independent aspect of the present invention. 

It should be understood, that, in the present context, the term "previous solutions" also 
covers the current solution, X n +i. 

The cryptographic key may further be used for Initializing parameters of the mathematical 
system. 
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H GENERATION OF AN IDENTIFICATION VALUE FOR IDENTIFYING OR PROVING THE 
IDENTITY OF A SET OF DATA 

> 

5 

A method of determining an Identification value for identifying a set of data, comprises 
performing numerical computations In a mathematical system comprising at least one 
function, the method comprising the steps of: 

- expressing the mathematical system in discrete terms, 

10 - expressing at least one variable of the mathematical system as a fixed-point number, 

- performing said computations in such a way that the computations include the at least 
one variable expressed as a fixed-point number, 

- obtaining, from said computations, a resulting number, the resulting number representing 
at least one of: 

15 a. at least a part of a solution to the mathematical system, and 

b. a number usable in further computations involved in the numerical solution of the 
mathematical system, 

whereby a representation of at least part of the set of data is used In said computations, the 
method further comprising: 

4 

20 - extracting, as said identification value, at least a part of said resulting number. This 
method constitutes an Independent aspect of the present invention. 

Thus, the above method may be regarded a Hash function or Hash algorithm which have 
been discussed in detail above. The identification value may be constituted by a number of 
25 extracted numbers which have been extracted at different computational stages In the 

numerical computations. Extraction may occur at each computational step or at each Iteration 
step, or it may occur only at selected computational stages. 

The term "Identification value" may be a hash value or a cryptographic check-sum which 
30 identifies the set of data, cf. for example Applied Cryptography by Bruce Schneler, Second 

Edition, John Wiley & Sons, 1996. In case a cryptographic key is used as a seed value for the 
cbmputations7the hash^unctTon is^u^riyrefe rred-tcras a~ MAC function (Message 
Authentication Code). 

35 The mathematical system may comprise a differential equation, such as a partial differential 
equation or an ordinary differential equation, or a discrete mapping, such as an area- 
preserving map or a non area-preserving map. The mathematical system may comprise at 
least one non-linear mapping function governing at least one state variable X. 

40 A non-linear mapping function may for example comprise a logistic map of the form 

Xn+i^AXnCl-Xn), wherein X is a parameter, x n+1 is the value of state variable x at the (n+l) , th 
stage In the computations, and x n is the value of state variable x at the n'th stage In the 
computations. 

45 The logistic map may be modified Into the form x n +i=Ax n (l-x n )+e(x n -m n ), wherein A and e are 
parameters, x n+1 Is the value of state variable x at the (n+l)'th stage in the computations, x„ 
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Is the value of state variable x at the n'th stage in the computations, and m n contains a 
representation of an n'th portion of the set of data. 

A cryptographic key may be used for at least partially determining at least one of the 
following: X, e and an initial value Xq of state variable x. 



The mathematical system may comprise a set of non-linear mapping functions, such as: 
- an Anosov map of the form: 



The mathematical system may comprise at least one non-linear differential equation and/or a 
set of non-linear differential equations. * 

Preferably, the mathematical system has at least one positive Lyapunov exponent, whereby a 
certain degree of irregular or chaotic behavior Is achieved, whereby randomness properties of 
the system and security are enhanced. 

At least one Lyapunov exponent may be computed at least once during the mathematical 
computations in order to determine whether the mathematical system exhibits chaotic 
behavior. If this is not the case, e.g. if the computed Lyapunov exponent Is not positive, the 
computations may be Interrupted and resumed from other Initial values and/or other 
parameters. 

The at least non-linear differential equation preferably governs at least one state variable, X, 
which is a function of at least one Independent variable, t. The set of non-linear differential 
equations may for example comprise a Lorenz system. 

I HANDLING OF OVERFLOW, DELIBERATE GENERATION OF OVERFLOW 

A method of performing numerical computations in a mathematical system comprising at 
least one function, comprises the steps of: 

- expressing the mathematical system In discrete terms, 

- restricting the range of at least a selected variable of said function, the range being 
sufficiently narrow so as to exclude values which the selected variable, by virtue of said 
function, would assume If not restricted by said range, 

- performing computations so as to obtain a resulting number, the resulting number 
representing at least one of: 

a. a part of a solution to the mathematical system, and 

b. a number usable In further computations Involved In the numerical solution of the 
mathematical system, 




- a Henon map of the form: 



rx nU 1 ri + y n -ax n 2 l 

[Yn + lJ L bX n J' 
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- when the computations result In a value for the selected variable which Is beyond the 
range, assigning a value within the range to the selected variable. This method < 
constitutes an independent aspect of the present invention. 

5 For example, if the upper bits of the value, which is beyond the range, are truncated, the 
step of assigning a value within the range may be seen as a modulus function. The steps of 
the method may thus provide deliberate overflow, e.g. in order to enhance randomness 
properties of an encryption/decryption system and/or In order to make It more difficult to 
derive information about Internal states of the mathematical system from encrypted data. 

10 

The above method may thus be a part of a pseudo-random number generating method 
which, e.g., generates pseudo-random numbers for use in at least one of encryption and 
decryption. The mathematical system preferably has at least one positive Lyapunov 
exponent. 

15 

K HANDLING OF IMAGINARY OR VIRTUAL DECIMAL SEPARATOR 

A further method of performing numerical computations In a mathematical system 
comprising at least one function, comprises: 
20 - expressing the mathematical system in discrete terms, 

- expressing at least one variable of the mathematical system as an integer number, 

- placing an imaginary decimal separator in said integer number, whereby the Integer 
number represents a real number, 

- performing computations Including the at least one variable expressed as an integer 

25 number so as to obtain a resulting number, the resulting number being expressed as an 

integer number, 

- positioning the imaginary decimal separator in the resulting number at a predetermined 
position by performing at least one of the steps of: 

- correcting the position of the Imaginary decimal separator In the Integer number, and 
30 - placing an imaginary separator In the resulting number. 

-Th is m et hod- constitutes a n Inde p e nd e nt as pect of th e pr eseot-lnventlon 



The resulting number is usually a fixed-point number having a fixed position of the decimal 
separator. Alternatively, the position of the decimal separator in the resulting number may be 

35 corrected after the computation has been completed. A third possibility Is to correct the 

position of the decimal separator before and after performing the computation. This may be 
relevant If not all positions to the left of the decimal separator In the resulting number are 
used, and it Is desired to maintain a relatively higher resolution in the computations than the 
resolution of the resulting number. For example, the resulting number is desired to have a 

40 S(10.21) format. Thus, the addition of, say, two S(7.24) format numbers may be performed 
In a S(8.23) format which then is converted to the 5(10.21) format resulting number. 
Thereby, the carry from the second and third least significant bits In the arguments may 
Influence the result. 



45 Finally, for some computations no correction of the position of any decimal separator may be 
required or needed. 
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The correction of the position of a decimal separator are usually performed by means of shift 
operations. 

5 In a most general form, a method of performing numerical computations In a mathematical 
system comprising at least one function, comprises the steps of: 

- expressing the mathematical system in discrete terms, 

- expressing at least one variable of the mathematical system as a fixed-point number, 

- performing said computations In such a way that the computations Include the at least 
10 one variable expressed as a fixed-point number, 

- obtaining, from said computations, a resulting number, the resulting number representing 
at least one of: 

a. at least a part of a solution to the mathematical system, and 

b. a number usable In further computations involved in the numerical solution of the 
15 mathematical system. 

L SUBSTITUTE COMPUTATIONS REQUIRING NO POSITIONING OF AN IMAGINARY 
DECIMAL SEPARATOR 

20 There is further disclosed, as an independent aspect of the present invention, a circuit for 

performing numerical computations in a non-linear mathematical system comprising at least 
one function, the circuit being designed or programmed so that the mathematical system, in 
the circuit or In the computer program code, is represented in modified terms in such a way 
that at least a selected one of the numerical computations involves an integer operation, 

25 whereby said selected numerical computation in a non-modified representation of the 

mathematical system would require one or more floating point operations or controlling the 
positioning of a decimal separator in one or more fixed-point numbers, the circuit being 
designed or programmed so that said selected computation Is substituted by at least one 
substitute computation on one or more integer numbers, whereby the mathematical system, 

30 in the circuit or in the computer program code, is represented In such a way that the at least 
one substitute computation requires no positioning of an imaginary decimal separator. 



The mathematical system may exhibit chaotic behavior. 

35 Thus, for example, the computations: 
Xn+i^Xn+y,, and 
y n+1 =Xn+2y n 

may be performed by first computing x n+ i. Then, the expression for yn+i may be computed 
as: 

40 y n +i=Xn +1 +y n 

whereby the computational step of multiplying y n by 2 may be omitted. 

Thus, by performing the substitute computations, computational time may be saved. 

45 Likewise, there is disclosed a method of, in an electronic circuit, performing numerical 
computations in a non-linear mathematical system comprising at least one function, the 
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method comprising, In the circuit or in a computer program segment according to which the 

< 

circuit operates, the steps of: 

- representing the mathematical system in modified terms in such a way that at least a 
selected one of the numerical computations Involves an Integer operation, whereby said 
selected numerical computation In a non-modified representation of the mathematical 
system would require one or more floating point operations or controlling the positioning 

' of a decimal separator in one or more fixed-point numbers, 

- substituting said selected computation by at least one substitute computation on one or 
more Integer numbers, whereby the mathematical system, In the circuit or In the 
computer program code, Is represented in such a way that the at least one substitute 
computation requires no positioning of an Imaginary decimal separator, 

performing said substitute computation. 

BRIEF DESCRIPTION OF THE DRAWINGS 

The above methods will now be further described with reference to the drawings, In which: 

Fig. 1 Is an Illustration of a cryptographic method employing a squaring function of a state 
variable x, 

Fig. 2 is an illustration of a next-state function including a counter Increment, 
Fig. 3 is an illustration of the system of Fig. 1 with coupling, 
Fig. 4 is an illustration of a system with counter Incrementation, 
Fig. 5 Is an Illustration of an encryption/decryption process, 

Fig. 6 Is an illustration of a sequence for encrypting, transmitting and decrypting electronic 
data, 

Fig. 7 is an illustration of an encryption sequence in a block cipher system, 

Fig. 8 Is an Illustration of an encryption sequence In a stream cipher system, 
35 

Fig. 9 is an illustration of the key elements in an encryption/decryption algorithm, 
Fig. 10 Is a plot of a numerical solution to a Lorenz system, 
40 Fig. 11 Is an illustration of key extension by padding, 

Fig. 12 Illustrates a possible method of simultaneously computing two or more Instances of 
identical or different chaotic systems, 

45 Fig. 13 Illustrates the principle of performing a check for periodic solutions, 
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Fig. 14 shows a mathematical system with a periodic solution, 

■ 

Fig. 15 illustrates transport between levels In the coordinate cache which stores previously 
calculated coordinates, 

5 

Figs. 16-18 illustrate various criteria for the detection of periodic solutions, 

Fig. 19 contains an illustration of a method for multiplication of 16-bit numbers on an 8-bit 
processor, 

10 

Figs. 20-27 are flow charts showing the operation of one embodiment of an encryption 
method, 

Fig. 28 is an illustration of a mathematical system which may be employed in the methods of 
15 the present invention. 

DETAILED DESCRIPTION OF THE DRAWINGS 

20 Figs. 1-5 illustrate various aspects and embodiments of the methods of the invention. As 

discussed above, stream ciphers produce a stream of pseudo-random bits specified by a key. 
This stream of bits is referred to as the keystream, and encryption is performed by bitwise 
XOR'Ing a plaintext with the keystream to obtain the ciphertext. The resulting ciphertext is 
decrypted by reproducing the same keystream specified by the same key and XOR'ing the 

25 ciphertext with this keystream to obtain the plaintext. 

In order to generate a keystream, an embodiment of a Pseudo Random Number Generator 
(PRNG) may be built upon 512 internal bits divided between eight 32-bit state variables and 
eight corresponding 32-bit counter variables, which are Incremented and added to the state 
30 variables at each Iteration. The PRNG works by iterating a system of eight coupled equations 
based on a non-linear function and extracting 128 bits from the eight state variables after 
each iteration. 

The algorithm is Initialized by expanding the 128-bit key into 512 bits which are used to 
35 setup both the eight state variables and the eight counter values. The system, defined by the 
next-state function shown in Fig. 1, is then iterated four times in order to diminish correlation 
between the state variables and the key. Finally, the counter values are modified by XOR'ing 
them with the state variables in order to obtain the initial counter value. 

40 A function, in the following referred to as the n g-funct»on n may be employed, the g-functlon 
squaring a 32-blt number resulting In a 64-bit number, from which the upper 32-bits and the 
lower 32-blts are XOR'ed, cf. Fig. 1. 

The g-functlon Is used in the system of eight coupled equations, the system being iterated 
45 once in order to generate a new state from which 128-blts of random data are extracted. 
Before each iteration the counter values are Incremented according to the counter system 
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described below, and then the new state values are calculated by iterating the following 
system, cf. also Fig. 2 Illustration a system with counter incrementation: 

X M =M x G(X t + C x ) 

Where X t = (x 0-f ,x u ,... f x 7|| ) , with x u being the value of state j at iteration /, 

C, = (c Q j 9 c l t9 ... 9 c 7J ) , where c Jti is the value of counter./ at iteration i r G(X) being the g- 

function evaluated on X f Ue. G(X) <g(x 0 j) 9 g(x XJ ) 9 ... ,^(x 7ff ))and M being a coupling 
matrix defined by: 
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where k s and Jt 16 Imply that the coupling includes permutations of the 32-bits, i.e. for a 
permutation k, the expression kxg(x t ) implies that some or all bits in the number g(x g ) 
are mixed. Jfc 8 indicates that the permutation In question is a 8-bit left rotation, and k l6 
likewise Indicates a 16-bit left rotation. Fig. 3 illustrates such a coupled system. 

The dynamics of the counter Is defined byC /+1 =J5 + C, . If a carry occurs, It is saved and 

added at next iteration step. A =(a 0 ,a x ,... 9 a 7 ) may for example be a 256 bit constant 
Integer partitioned Into eight 32-bit Integers. Fig. 4 illustrates the counter incrementation. 

After each iteration step, 128 bits of keystream are extracted by XOR'Ing different state 
variables. For example, the upper 16 bits and the lower 16-bits from two different state 
variables may be XOR'ed creating a total of eight 16 bit combinations resulting in 128-bits of 
random data. The keystream is XOR'ed with the plaintext/clphertext to encrypt/decrypt. Fig. 
5 illustrates such an encryption/decryption process. 

Many practical applications of pseudo-random number generators require the use of a so- 
called Initialization Vector (IV). For instance, when large amounts of data are 
encrypted/decrypted it is necessary to start from one end of the data and continue through 
all the data. If only a part of the data is to be decrypted, which is towards the end of the 
data, it is necessary to Iterate the appropriate number of times from the beginning of the 
data to arrive at the output corresponding to the data to be decrypted, which requires a 
number of computations which are of no direct use and which are time-consuming. This 
problem can be solved by use of an IV. An IV is also useful in a Virtual Private Network 
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(VPN). In such a network, the data may be divided Into packages, and a unique IV is 
transmitted along with each package, whereby each package can be decrypted individually, 
even If other packages are lost. The data to be encrypted/decrypted is divided into sections, 
and each section is associated with a unique IV. The cipher is firstly setup by use of the key, 
and thereafter the internal state of the mathematical system is changed in an unpredictably 
way, as function of the IV. These changes may be performed on counters, on the state values 
or on both. The output of the cipher is then a function of both the key and the IV, and 
thereby a given section or package can be encrypted/decrypted, without Iterating multiple 
times. 

In one example of a method employing an IV, a master state of the mathematical system is 
created by a usual setup procedure, and subsequently a counter state is manipulated as 
follows: the 64-bit IV is expanded to 256-blts and XOR'ed on the counter values, and the 
system is then iterated a number of times to make all bits in the state dependent on all bits 
in the IV. 

The algorithm discussed above Is further elaborated in M. Boesgaard, M. Vesterager, T. 
Pedersen, J. Christiansen and O. Scavenius: Rabbit: A New High-Performance Stream Cipher, 
Proceedings of Fast Software Encryption (FSE) 2003, Springer, Berlin, (2003). 

Fig. 6 is a general Illustration of a sequence for encrypting, transmitting and decrypting 
digital data. Fig. 7 is an illustration of an encryption sequence in a block cipher system, and 
Fig. 8 is an Illustration of an encryption sequence in a stream cipher system, block cipher and 
stream cipher systems being discussed In the above discussion of the background of the 
invention. 

A method and algorithm for encrypting/decrypting data will now be described. The algorithm 
is applicable for most purposes in data encryption/decryption. However, the nature of the 
algorithm favours encryption of data streams or other continuous data, such as large files, 
i live or pre-recorded audio/video, copyrighted material (e.g. computer games or other 

_ software) and data for storage (e.g. backup and/or transportation). Furthermore, the spec?d 

of the algorithm makes it particularly suitable for these purposes. Because of the calculation 
method, the algorithm is also useable on very small processors. 

35 The algorithm relies on a Pseudo-Random Sequence Stream Cipher system {PRSSC). PSSRC 
systems are characterized by a pseudo-random number generator (the content of the outer 
boxes on Fig. 9), which generates a sequence of data, which Is pseudo-random, based on a 
binary key. This sequence, the so-called keystream, cf. Fig. 9, is used for the encryption and 
decryption. The keystream is unique for each possible key. 

40 

Applying the logical XOR-functlon (stated In the figure by the e-symbol) on the plaintext and 
an equal amount of keystream encrypts the plaintext. The output of the XOR-function is the 
ciphertext. Applying the same approach once more on the ciphertext decrypts it Into 
plaintext. The decryption will only reveal the encrypted plaintext If the key used for the 
45 decryption is fully identical to the key used for the encryption. 
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The integrity of the encrypted data is lying In the key capable of decrypting the dphertext. 
Therefore it must be difficult to guess the key. To ensure this, the basic design of the 
algorithm Is using a key of at least 128 bit. A key-size of 128 bit gives approximately 
3.4- 10 38 different keys. 

The algorithm uses a system, which exhibits chaotic behaviour, such as a Lorenz system, 
which consists of the following three ordinary differential equations: 

dy 

— -rx-y-xz 
--xy-bz 

where o> r, b are parameters, and x, y, z are state variables. 
Fig. 10 shows a plot of a numerical solution to a Lorenz system. 



The following parameter criteria should be satisfied for chaos to occur in the system: 
(a-b-l)>0, r>l, r>a |^j^ , a,r,b>0 

15 Even then, not all solutions will be chaotic. In the parameter space, there will be so called 
periodic windows, referring to combinations of parameters, which give rise to periodic 
solutions. Before implementing the system, analysis of the parameter-space will be 
performed using calculation of a Lyapunov exponent. Generally, a positive Lyapunov 
exponent indicates that the solution to the mathematical system Is chaotic, cf. Edward Ott, 

20 Chaos In Dynamical Systems, Cambridge University Press 1993. 

The parameters are typically determined from a seed value, such as an encryption key or a 
part of an encryption key. Preferably, algorithms embodying the method of the present 
Invention are designed so that only parameter values within predefined intervals.are made 
25 possible, whereby it is ensured that the probability of the system having a positive Lyapunov 
exponent is high. Accordingly, the mathematical system will have a high probability of 
exhibiting chaotic behavior. The Lyapunov exponent may additionally or alternatively be 
determined at the beginning or during the mathematical computations, so as to be able to 
detect non-chaotic behavior of the solution to the mathematical system. 

30 

The mathematical system could as well be another continuous system (such as the Rossler 
system) or a discrete map (such as the H6non map). 

The Integration Is performed using a numerical integration routine. Provided an initial 
35 condition and an Integration step length, the numerical integration routine calculates the 
solution at discrete mesh points, e.g. by using the Euler method or a Runge-Kutta method. 
Using the Euler method to express the Lorenz equations in discrete terms, the solution can 
be computed from the following equations 
x n+l = x n + (a(yn-x n )).At x 
y n *i =y n + (xn(r-z n )-y n ).At y 
z n+1 =z n +(x n y n -bz n ).At z 
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The calculations are performed using fixed-point numbers which are described below. 

■ 

During numerical integration of a system of differential equations, the continuous non- 
dependent variables (such as time t or space s) are discretized. This process refers to 
replacing the continuous interval [a;b] with a set of discrete points.In such a system, 
AT=(Atx, At y/ At 2 ) is usually referred to as the step length of the integration or the integration 
step: 

Fig. 12 illustrates a possible method of simultaneously computing two or more instances of 
the same system or different systems, such as chaotic systems. The method confers higher 
computational speed and improved security, and a larger key may be used. Preferably there 
should be some kind of communication or coupling between the two systems, like for 
example exchange of step length, such as exchange of At x , Aty, and/or At z . 

The internal variables are in the basic design 32 bits wide each, but any variable. width could 
be used. When using the Lorenz system, there are 6 Internal variables (3 state variables and 
3 parameters). Thus, 192 bits (in the basic design) are used to represent an Internal state of 
the generator given by a set of the internal variables. The padding of the 128 bits key up to 
192 bits should be done in such a way as to avoid illegal values, i.e. to ensure that all 
variables contain allowed values, and as to avoid that bits from the key are Ignored. The 
padding may include inserting predetermined values of zeros and ones or repetitions of bits 
from the key. Fig. 11 contains an illustration of key extension by padding. 

The integration may be performed with variable time steps, which e.g. can be calculated from 
any one of the state variables. In the basic design, the step length At varies in each 
integration step. This variation is coupled to the state variable X. 

The keystream is extracted from some of the data related to the state variables. This may be 
done by extracting the 8 least significant bits from the y variable or by collecting some of the 
data wiped out In the calculations; e.g. from one or more of the multiplications perfqrmed in 
„±he calculation of.one step... . 

Usually, calculations on a chaotic system are performed on computers using floating-point 
variables. However, this method introduces problems. One problem is that the use of 
floating-point variables may cause generation of different keystreams on different computers 
even if the same key is used, because of the slight differences in the implementation of 
floating-points on different computer systems. 

Therefore fixed-point variables are used. The fixed-point variable is based on the integer data 
type; which is implemented identically on various computer systems. To express numbers, 
such as real numbers, digits after the decimal point are needed, the decimal point being 
artificially located somewhere else than at the end of the number (e.g. 12.345 instead of 
12345). 

To ensure proper operation of the algorithm, some tests should preferably be performed. 
Some of these tests are performed at run-time, and others are performed at design-time. 
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As a part of the initialization process, an amount of keystream equal to the complete data 
content of the state variables (e.g. 192 bits) or equal to the amount of a complete key (e.g. 
128 bits) are generated using the algorithm and saved, in case the key has to be reloaded 
due to detection of periodic solutions or stationary points. In that case, the saved sequence is 
loaded as a new key, and the Initialization, Including extraction of extra key, Is redone. 

Do to the finite representation of numbers on a computer, any numerical solution will be 
periodic. However, some keys may result in keystreams having a rather small period. 
This is undesirable as It may compromise the security of the system. Therefore the there Is 
propsed an algorithm for detecting such periodic solutions. This algorithm watches the sign of 
a variable or the slope of a variable. When using the Lorenz system, the check Is performed 
on x. When the sign changes from minus to plus (or plus to minus or just alters) the position 
check Is performed (the position check can also be performed after all iterations). The 
position check compares the complete set of state variables with buffered sets from earlier. If 
a complete match is found, a periodic solution is detected. 

Stationary points of a dynamical system are sets of state variables which remain unchanged 
during Iteration. Such stationary points may be detected by comparing the current set of 
state variables with the last set, or by checking if the slopes of all of the variables are zero or 
by checking if both the current slope of one variable and Its previous slope are zero. 
Chaotic systems may, for one reason or another, enter into periodic solutions. This has to be 
detected and corrected In order not to compromise the security of the system. If the solution 
of the system becomes periodic, encryption may preferably be stopped, as the extracted 
number from the solution of the mathematical system will also be periodic and hence pot 
pseudo-random. The test for periodic solutions includes comparing coordinates of the solution 
with previously calculated coordinates. If a complete match Is found, the system has entered 
a periodic solution. 

To reduce the amount of memory required to store previously calculated coordinates, and to 
reduce the processing time required to test the coordinates, only selected coordinates are 
stored in the coordinate cache. To reduce the processor time required to test for periodic 
solutions, the test is only performed when the coordinates meet certain criteria. Fig. 13 
Illustrates the principle of performing a check for periodic solutions. 

Fig. 14 shows a mathematical system with a period solution, more specifically a two- 
dimensional non-linear system with a periodic solution. The system is deterministic meaning 
that the solution is completely specified by its Initial conditions. In theory, the solution will be 
continuous, thereby consisting of Infinite many points. When solving the system numerically, 
the time-interval is discretized, and the solution Is calculated at these points. The numerical 
solution to a mathematical system is simply a sequence of coordinate sets. If we consider a 
two-dimensional system, then the solution Is specified at a number of points (x,y), illustrated 
by dots on the curve In Fig. 14. The deterministic nature of the system implies that if the 
solution ever hits a point, which it has visited previously, the solution Is periodic and will keep 
being periodic. This property is employed in the present test. 
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In order to test for periodic solutions during numerical Integration, we have to compare the 
present calculated coordinate set with the previous values. In order to do this, the coordinate 
sets are stored as they are calculated. This storage works like a queue and is referred to as 
the coordinate cache. A calculated coordinate set is compared to every coordinate set in the 
coordinate cache. If a complete match (all values in the two coordinate sets are equal) is 
found, the system is in a periodic state. If the test is passed without a complete match, no 
periodic behavior Is detected, and the calculations may continue. Before the calculations 
continue, the tested coordinate Is added to the cache, for further comparisons. 

It will require too much memory and processor time to keep all calculated coordinate sets of 
the system in the cache. Hence, only selected coordinates are stored, as illustrated In Rg. 15. 

The cache consists of a number of levels, each containing a coordinate of age growing by 
level. After each test or after a number of tests, the tested coordinate is Inserted at level 0. 
Every second time (or any other time) a coordinate is inserted into level 0, the old value is 
Inserted Into level 1 before It is overwritten. The method for Inserting coordinates at the 
other levels is similar; every second time a value is Inserted at any level, the old value Is 
transported to the next level before it is overwritten at the current level. 

This method results in a coordinate cache containing coordinates with an exponentially 
growing age. Level 0 stores coordinates with an age of 1 or 2 (the prior checked coordinate 
or the one before the prior checked coordinate), level 1 stores coordinates with an age of 3 - 
6 (3 at the test after the coordinate has been inserted, and then growing to 6 before the next 
coordinate lis inserted), level 2 stores coordinates with an age of 7 - 14, and so on. 

The pseudo program code in Example I shows how the cache may be implemented. 

Because the age of the levels is varying, a periodic solution may not be found Immediately. A 
periodic solution having a period length of 11 tests will be detected at level 2 of the cache, 
because the age of the data at level 2 is between 7 and 14. However, the test will not detect 
the periodic solution before the coordinate is exactly 11 tests old. Therefore up to 12 tests 
may be performed before the periodic behavior Is detected. In this case, It means that the 
system may pass through up to 12/11 period before it is detected. 

A possible expansion to the algorithm described above is a varying TransportAge, cf. the 
pseudo code program in Example I. If some coordinates can be identified as more likely to 
take part of a periodic solution then others, the InsertCoordinate procedure, cf. the pseudo 
code program in Dcample I, may recognize them, and use a reduced value of TransportAge 
for those. This will favor the critical coordinates In the cache, and make the data In cache 
become younger If many critical coordinates are stored. The younger age of data in the cache 
makes a periodical solution detectable after less iteration within the periodic solution. 

The test may be performed after each iteration. That means every time we have calculated a 
new coordinate set of the solution. However, to save processor resources, the test should 
instead be performed at a periodic Interval. I order to make the test work; the test must be 
performed when the solutions is at a recognizable posltlon.One way to make sure the test Is 
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performed at the same position each time is to find a recognizable point in the graphical plot 
of the solution. To do so, the system has to be analyzed for its characteristic behavior, and a 
criterion has to be chosen. For the above shown non-linear system, the examples of criteria 
illustrated in Figs. 16-18 are useable. 

First possible criterion, as illustrated in Fig. 16 is change of sign of x from minus to plus. That 
is, when the sign of x changes from minus to plus, the test is performed. The second criterion 
is change of sign of dx from plus to minus, as Illustrated In Fig. 17. The third criterion Is 
change of dy from plus to minus, as illustrated in Fig. 18. 

When choosing the criterion, two considerations have to be made. First of all, all possible 
periodic solutions shall be able to fulfil the criterion. Secondly, to reduce processor load, the 
criterion with fewest tests should be selected. 

At design time some extra tests can be performed on the systems and the chosen parameter 
spaces, to ensure the efficiency, stability and correctness of the system. These tests may 
include calculations of Lyapunov exponents, using Gram-Schmidt orthogonalizatlon, as well 
as statistical analysis of the keystream. 

EXAMPLE I 

The following pseudo code program shows an example of a program for encrypting and 
decrypting data which encrypts one byte at a time. The program works in accordance with 
the flow charts of Figs. 20-27. The program works with 32-bit registers. Fig. 20 illustrates a 
method which encrypts a file containing data. Figs. 21-27 correspond to those functions 
shown in the pseudo-code below which relate to check for periodic solution and to a stream- 
cipher using the Lorenz system. 

Pseudo-code for fixe d-point library 

FloatToFlxedPolnt: Converts a floating-point number, X, into a fixed-point number. The result 
of the function has the format S(a.b) or U(a,b) 

fixedpoint FloatToFixedPoixvt (float X) 
35 { 

return X*^; // b is the number of bits after the dec imal 

// separator in the fixed-point 
// representation of the result 

) 

40 

Fixed PointToFI oat: Converts a fixed-point number, X, having the format S<a.b) or U(a.b), into 
a floating-point number. 

float PixedPointToFloat (f ixedpoint X) 
45 { 

return X*2" b ; // b is the number of bits after the decimal 

// separator in the fixed-point 
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// representation of x 

) 

ConvertFixedPoint: Converts an Input fixed-point number, X, having the format S(a.b) or 
5 U(a.b), into the requested format, S(c.d) or U(c.d). The result is signed if the argument, X, is 
signed, and vise versa. 

fixedpoint ConvertFixedPoint (fixedpoint X) 
{ 

10 return X*2 d "*; // b is the number of bits after the decimal 

// separator in the fixed-point 
// representation of X. d is the number of 
// bits after the decimal separator in the 
// fixed-point represents i ton of the result 

15 } 



Addition and subtraction of fixed-point numbers in the same format are performed using 
ordinary integer addition and subtraction functions. 

20 MulFlxedPoint: Multiply two fixed-point numbers, X and Y. X has the format S<a.b) or U(a.b) 
and Y has the format S(c.d) or U(c.d). The resulting fixed-point number, has the format 
S(e.f) or U(e.f). The result as well as X and Y must all be either signed or unsigned values 
and stored in 32-bit registers. ">>" is the arithmetic shift right for signed multiplication and 
logical shift right for unsigned multiplication. 

25 



30 



fixedpoint MulFixedPoint (fixedpoint X, fixedpoint Y) 
{ 



// A 64 -bit register to hold the intermediate 
// result 

// Two 32 -bit values X and Y are multiplied 
// into the 64 -bit intermediate result 



return Temp » b+d-f ; // b and d are the number of bits after the 
35 // decimal separator in the fixed-point 

// representation of X and Y respectively. 
// f is the number of bits after the decimal 
// separator in the fixed -point 
// representation of the result. 
40 // The conversion of the value of a 64 -bit 

// register into a 32-bit register is 
// performed by ignoring the 32 most 
// significant bits and copying 
// the 32 least significant bit into the 
45 // destination register. 

) 

Pseudo-code fo r check for periodic solution 
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Global constants In the sub-system for checking for periodic solutions. The code Is able to 
detect periods when the number of inflexions is lesser than TransportAge 03 * 60 ^" 1 (Note that 
there can only be half as many inflexions as iterations.) 

const int CacheDepth = 32; 
const int Transport-Age = 2; 
const int SpareSeedlength « 16; 

The sub-system for checking for periodic solutions has a number of global variables e.g. to 
store the cache of old coordinates and the spare key to be loaded if a periodic solutions is 
found. 

fixedpoint xCache [CacheDepth] ; 
f ixedpoint y Cache [CacheDepth] ; 
fixedpoint zCache [CacheDepth] ; 
int CoordinateAge [CacheDepth] ; 

char SpareSeed [Spare SeedLength] ; 
fixedpoint xOld, xOldOld; 

SetupCoordinateCheck: Set up the sub-system for checking for periodic solutions. All 
positions of the coordinate cache Is reset to (x, y, z) = (0, 0, 0), since (0, 0, 0) Is a 
stationary point for the Lorenz system, and therefore is a coordinate value Indicating that a 
reload of the key is needed. 

void SetupCoordinateCheck () 
{ 

int i; 

// Clear coordinate cache 
for (i=0; i<CacheDepth; i++) 
{ 

xCache[i] =0; 
yCache[i] =0; 
zCache[i] = 0; 
CoordinateAge [i] =1; 

> 

xOld — 0; // Variables for detecting when to check are 

xOldOld =0; // reset 

// Prepare spare seed 
for (i=0; i<SpareSeedIiength ;i++) 
SpareSeed[i] = 0; 

// Generate the spare key 
Crypt (Spare Seed, SpareSeed+SpareSeedLength-1) ; 

} 
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InsertCoordinate: Inserts a coordinate at a certain level of the coordinate cache if the age of 
the previous values stored at that level has passed a certain threshold value. Before the old 
coordinate at that certain level is overwritten, is it inserted at the next level. 



5 void InsertCoordinate (fixedpoint x, fixedpoint y, fixedpoint z, in t Level) 
{ 

// Transfer current coordinate at this level 
// ("Level") to next level ("Level "+1) , if 
// its age is equal to "TransportAge" , unless 
10 // this level is the highest level possible. 

if ( (CoordinateAge [Level] >— TransportAge) £& (Level+1 < CacheDepth) ) 
{ 

InsertCoordinate (xCache [Level] , yCache [Level] , zCache [Level] , Level+1) ; 
CoordinateAge [Level] = 0; 

15 ) 



20 



xCache [Level] » x; 
yCache [Level] = y; 
zCache [Level] = z ; 



// Insert the new coordi n ate 



// Increase the age counter for this level 



CoordinateAge [Level] ++ ; 



25 CheckCoordinate: Checks if the x variable solution curve has an inflexion, for which the sign 
of the slope of the curve changes from positive to negative- If not, the function exits. 
Otherwise the function checks if an equal coordinate is stored In the coordinate cache. If a 
match is found, the function loads the spare key Into the algorithm. Finally, the coordinate is 
inserted into the coordinate cache. 



30 



35 



40 



45 



void CheckCoordinate (fixedpoint x, fixedpoint y, fixedpoint z) 
{ 

int i; 



// 

// x curve changes from positive to 
// negative . . . 
if ((x <= xOld) && (xOldOld <$= xOld)) 

{ 



50 



// 

for (i=0 ;i<CacheDepth; i++) 
{ 

// If match is found ... 
if ( (xCache [i] = x) && (yCache [i] = y) && (zCache [i] = 
{ 

// Period is found! - Load spare key 
// and reinitialize 
Initl28 (SpareSeed) ; 



> 



z)) 
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// Insert the coordinate into the 
// coordinate cache 
InsertCoordlnate (x, y, z, 0); 

> 

5 

// Store the x value for future comparison 

xOldOld = xOld; 
xQld = x; 

} 

10 

Pseudo-code for stream-cipher using the Lorenz system 

In this context, the modulus function, MOD, which takes an argument, q, returns a positive 
15 values In the range [0;q[. 

The a-variable in the Lorenz equations has been renamed to V. 

♦ 

The format of the fixed-point variables are defined according to Table I. 

20 

Table I: 



Variable 


Fixed- point format 


r ' 


S(7.24) 


b 


S(7.24) 


s 


S(7.24) 


X 


S(7.24) 


y 


S(7.24) 


z 


S(7.24) 



The format of the temporary fixed-point variables used in the Crypt function are defined 
25 according to Table II. 



Table II: 



Variable 


Fixed-point format 


tx 


S(15.16) 


ty 


S(15.16) 


tz 


S(15.16) 


dt 


S(12.19) 



30 Allowed values for parameters, r, b, and s, and allowed starting conditions for coordinates, x, 
y, and z are listed in Table III: 

Table in: 
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Variable 


Allowed value 


r 


[i;5[ 


b 


[b+10;b+18[ 


s 


[4.b+0.5.s+12.5;4b+0.5s+20.5[ 


Xo 


[-32;32[ 


Yo 


[-32;32[ 




[-32;32[ 



Crypt: Encryption, decryption and PRNG function. Arguments are PData (pointer to the first 
byte to encrypt/decrypt) and PEnd (pointer to the last byte to encrypt/decrypt). If the 
function Is intended to generate pseudo-random numbers, the function should be given an 
5 amount of data to encrypt (e.g. zeroes) of the same size as the requested pseudo-random 
data. 

void Crypt (char* PData, char* PEnd) 
{ 

10 fixedpoint dt; 

while (PData <= PEnd) 
{ 

// Calculation of the time step 
15 dt = 10*2"" + x MOD 2" 11 ; 

tx — s* (y-x) ; // Calculation of the next state 

ty = x* (r-z) -y; 
tz = x*y-b*z; 
20 x - x + tx*dt; 

y = y + ty*dt; 
z = z + tz*dt; 

// Check and insert the coordinate 
25 XnsertCoordinate (x, y, z, 0); 

■ 

// Extract and encrypt 
* PData = * PData XOR "( (y*2 24 XOR y*2 16 ) MOD 2 8 ) ; 

30 PData = PData + 1 ; // Increase the pointer to data to encrypt 

} 

) 

MaskParameters: To ensure that the initial state and the parameters are valid after loading 
35 an expanded key or a pseudo-random sequence, the state and parameters has to be 

modified using this function. The correction is performed according to the restrictions defined 
in table in. 

void MaskParameters () 
40 { 

x = x*0.25; 
y = y*0.25; 
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z = z*0.25; 

b = (b MOD 4) + 1; 

s = (s MOD 8) + 10 + b; 

r = (r MOD 8) + 12.5 + 2*b + 0.5*s; 

) 

Initl92: Load a 192-bit seed (pointed to by the PSeed pointer) into the state of the system. 



void Initl92 (char* PSeed) 
10 < 



X 




♦PSeed; 


y 




* (PSeed+4) ; 


z 




* (PSeed+8) ; 


r 




* (PSeed+12) ; 


b 




* (PSeed+16) ; 


s 




* (PSeed+20) ; 



// Copy the seed into the state 



MaskParameters () ; // Correct the state to make it valid 

} 

20 

Initl28: Load a 128-bit seed (or key) (pointed to by the PSeed pointer) into the state of the 
system performing the key setup procedure. 

void Initl28<char* PSeed) 

25 { 

char Seedl92[24]; // Allocate 24 bytes of memory 

int i; 

x = * PSeed; // The seed is expanded into the state 

30 y = * (PSeed+3) ; 



z = * (PSeed+6) ; 

r = * (PSeed+8) ; 

b = * (PSeed+10) ; 

s « * (PSeed+12) ; 



MaskParameters () ; // Make state valid 

// Iterate 16 rounds before extraction 
Crypt (Seedl92, Seedl92+15) ; 



for (i=0;i<24;i++) // Reset the data in Seed to zeroes 

Seedl92[i] « 0; 

45 // Generate 24 bytes of pseudo-random data 

Crypt (Seedl92, Seedl 92+23 ) ; 



lnitl92 (Seedl92) ; // Load the pseudo-random data into the state 

// Iterate 16 rounds before using the 
// algorithm 
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Crypt (Seedl 92, Seedl 92+15) ; 



// Initiate the coordinate check algorithm 



SetupCoordinateCheck () ; 



} 



The statistical properties of the output of the system, i.e. the keystream, may be tested 
according to the NIST (National Institute of Standards and Technology) Test Suite, cf. *A 
statistical test suite for random and pseudo-random number generators for cryptographic 
10 applications', NIST Special Publication 800-22. See also http://csrc.nlst.gov/rng/rng2.html. 
The NIST Test Suite comprises sixteen different tests, which are briefly summarized below. 
The tests may for example be performed on a program similar to the above pseudo-code for 
a stream cipher using the Lorenz system. 



15 



20 



25 



30 



35 



40 



The tests deliver a number of almost non-overlapping definitions of randomness. The simpler 
definitions are included below, whereas those definitions which require more complicated 
concepts from the theory of probability are referred to by the phrase "what can be 
calculated/Is expected for a truly random sequence". The above NIST publicatiohs contain the 
appropriate definitions and references to works on the theory of probability. 

Frequency monobit test: This test determines the proportion.of zeroes and ones for the entire 
keystream sequence. For a truly random keystream sequence, the number of ones Is 
expected to be about the same as the number of zeros. During the test, It is investigated 
whether this property holds for the keystream sequence in question. 

Frequency block test: In this test, the keystream sequence is divided into M-bit blocks. In a 
truly random keystream sequence, the number of ones in each block Is approximately M/2. If 
this also characterizes the tested keystream sequence, the test is regarded as successful. 

Runs test: A run within the keystream sequence is defined as a sub-sequence of identical 
bits. The test checks for runs of different lengths, where a run of length k is constituted by k 
identical bits bounded by bits of a value opposite to the bits in the run. The occurrence of 
runs of different lengths Is compared to what is expected for a truly random sequence. 

Longest run of zeroes: In this test, the sequence Is divided Into blocks of M bits each, and the 
longest run of ones within each block is found. The distribution of the lengths of runs for the 
blocks is compared to the distribution for blocks In a random sequence. An irregularity in the 
expected length of the longest run of ones indicates that there is also an irregularity In the 
expected length of the longest run of zeroes. 

Binary matrix rank test: In this test, fixed length sub-sequences of the keystream sequence 
are used to form a number of matrices by colllecting M-Q bit seggments Into M by Q matrices. 
By calculating the rank of these matrices, the test checks for linear dependence among the 
sub-sequences. 



45 
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Discrete Fourier transform test: By applying the discrete Fourier transform, this test checks 
for periodic characteristics of the keystream sequence. The height of the resulting frequency 
components are compared to a threshold defined from a truly random sequence. 

» 

Non-overlapping template matching test: When performing this test, a number of non- 
periodic m-bit patterns are defined, and the occurrences of the particular patterns are 
counted. 

Overlapping template matching test: This test Is very similar to the non-overlapping template 
matching test, the only differences being the structure of the pattern of m bits, and the way 
the search for the pattern is performed. The pattern of m bits Is now a sequence of m ones. 

Maurer's universal statistical test: This test calculates the distance between matching 
patterns in the keystream sequence. By doing so, a measure of the compressibility of the 
keystream sequence is obtained. A significantly compressible keystream sequence is 
considered to be non-random. 

Lempel-Ziv compression test: In this test, the number of cumulatively distinct patterns is 
calculated, thus providing a measure of the compressibility of the keystream sequence. The 
result is compared to a random sequence, which has a characteristic number of distinct 
patterns. 

Linear complexity test: This test calculates the length of a linear feedback shift register in 
order to determine whether or not the sequence is complex enough to be considered random. 

Serial test: This test calculates the frequency of all possible overlapping m-bit patterns across 
the entire sequence. For a truly random keystream sequence, all of the 2 m possible m-bit 
patterns occur with the same probability. The deviation from this probability is calculated for 
the keystream sequence in question. 

Approximate entropy test: This test has the same focus as the serial test, but with the added 
feature that the frequencies of m- and (m+l)-blt patterns are calculated. The results 
obtained for the patterns of different length are compared and used to characterize the 
sequence as either random or non-random. 

Cumulative sums test: In this test, the sequence is used to define a random walk with ones 
and zeroes corresponding to +1 and -1, respectively. It is determined whether the 
amplitudes of the cumulative sums of the partial keystream sequences are too large or too 
small relative to what is expected for a truly random keystream sequence. 

Random excursions test: In this test, the sequence Is similarly to the cumulative sums test 
transferred Into a random walk. The number of visits to certain states (values the cumulative 
sum can hold), which the random walk potentially passes through, is used to characterize the 
sequence as either random or non-random. The considered states are -4, -3, -2, -1, 1, 2, 3, 
4. 
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Random excursions variant test: Almost identical to the random excursions test. Eighteen 
states are used in this test. 

For each test, a P-value, P va i, is calculated, which provides a quantitative comparison of the 
5 actual sequence and an assumed truly random sequence. The definitions of the P-values 
depend on the actual test (see the NIST documentation). Values of P va i > a indicate 
randomness, where a is a value in the interval 0.001 £ a s 0.01, the exact value of a being 
defined for each test. Otherwise, non-randomness is declared. 

10 The NIST Test Suite defines, for each test, the proportion of samples, whose P-value should 
pass the criterion P^i > a. In all of the above tests, except the Random excursions test, the 
proportion of samples whose respective P-values, P va i, pass the appropriate criteria should be 
at least 0.972766. For the Random excursions test, the proportion given by NIST is at least 
0.967813. 

15 

In preferred embodiments of the method, the following proportions are preferably achieved, 
as an average of at least 10 4 samples obtained by use of randomly chosen keys: at least 
0.975, such as at least 0.98, such as at least 0.985, such as at least 0.99, such as at least 
0.995, such as at least 0.998. 

20 

Possible input parameters to the NIST Test Suite are given In Table IV below in the notation 
used In the documentation accompanying the NIST Test Suite. 

TABLE IV: 

25 



Name of test 


Input 


Frequency block test 


m = 100 


Longest run test 


M = 10000 


Non-overlapping templates matching test 


m = 9 


Overlapping templates matching test 


m = 9 


MaureKs universal test 


L = 7, Q = 1280 


Serial test 


m - 5 


Approximate entropy test 


m = 5 



EXAMPLE II 

30 - Table V shows the speed of encryption provided by a method as generally disclosed 
herein, cf. Figs. 1-5, as well as speeds of encryption of various known encryption 
methods. The speed of encryption provided by the methods of the present invention was 
measured in respect of an algorithm as described in M. Boesgaard, M. Vesterager, T. 
Pedersen, J. Christiansen and O. Scavenius: Rabbit: A New High-Performance Stream Cipher, 

35 Proceedings of Fast Software Encryption (FSE) 2003, Springer, Berlin, (2003). The algorithm 

was Implemented in assembly language using MMX™ instructions. 
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From the measurements, the speed was calculated to be equivalent to an 
encryption/decryption speed of 947 Mbit/sec on a 450 MHz Pentium in processor. 



Table V: 



Name 

i 

r 


Year of 
intro- 
duction 


Type 


Key size 
[bit] 


Block 
size [bit] 


Speed 
[clocks/ 
byte] 


Speed 
[Mbit/s] 


Memory 
Requirements 
for tables etc. 

[bytes] 


AES/Rijndael 


1998 


block 


128-256 


128-256 


14.8 3 


243 


>256-4096 


Blowfish 


1994 


block 


32-448 


64 


18 2 


200 


<5K 


Present . 
Method 




stream 


128 




3.7 


947 


60 


DES 


1975 


block 


56 


64 


45 2 


80 


>256 


IDEA 


1992 


block 


128 


64 


50 2 


72 


>12 


Panama 


1998 


stream 


256 




6.7 1 


537 


♦>1092 


RC4 


1987 


stream 


32-2048 




7 2 


514 


>256 


SNOW 


2000 


stream 


128-256 




6.5 4 


554 


* 1024 


SOBER-t32 


2000 


stream 


128 




21 4 


171 


• 



Speed is estimated from different sources. The superscripts In the "Speed [clocks/byte]" 
column of Table V refers to the below source references: 

1. Crypto++ 4.0 Benchmarks, www.eskimo.com/~weidai/benchmarks.html, 
10 MS C++ (Intel Celeron 850MHz), available on 6 Dune 2003. 

2. Bruce Schneier et al.: Fast Software Encryption: Designing Encryption Algorithms for 
Optimal Software Speed on the Intel Pentium Processor. 

15 3. Kazumaro Aokl et al.: Fast Implementation of AES Candidates (128 bit keys, 128 bit 
blocks, Pentium II). 

4. Performance of Optimized Implementations of the NESSIE Primitives (version 2.0), 
http://www.cosic.esat.kuleuven.ac.be/nessie/ available on 6 June 2003 (Pentium III numbers 
20 are used). 

In general, speed and memory can*be traded for many of the implementations, e.g. by using 
lookup tables which require more memory but may save processing time. 

25 End of Example II 

When performing computations on numbers expressed as binary numbers, for example when 
adding or multiplying two numbers, it may be possible to omit parts of the computations 
involved in addition or multiplication, if bits of a number resulting from the addition or 
30 multiplication may be omitted or disregarded. Thus, if the least significant bits of the 

resulting number are not necessary or if the most significant bits of the resulting number 
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may be disregarded (which may be the case in a pseudo-random number generator, where 
what is needed is not the true result of the computations- but merely a pseudo-random 

i 

number), the least and/or most significant bits of the resulting number need not be 
computed. 

Thus, a method for performing mathematical operations on Integer numbers of a certain bit 
width which is larger than the register width of the processing unit on which the 
computations are performed is disclosed. Mathematical operations or computations on fixed- 
point numbers are performed as integer operations, whereby the integer numbers are 
expressed as binary numbers. The binary representation of integer numbers requires a 
certain register width, e.g. 32 bit. When performing mathematical operations, such as 
addition or multiplication, by means of a processing unit having a register width which is 
smaller than the width required for representation of the binary numbers, e.g. 8 bit, the 
binary numbers may be split into a plurality of binary sub-numbers, each represented by a 
width equal to or smaller than the register width of the processing unit. Thus, twp 32 bit 
numbers may be split into two sets of four 8 bit sub-numbers, and multiplication or addition 
may be performed on the 8 bit sub-numbers by means of an 8 bit processing unit. For 
example, addition of a number 

A = 11011001101101010110101010110111 and a number 
B = 10000111011110111111010101001001 

to achieve a result R=A+B may be performed by performing the following steps: 

1. Each of the numbers A and B Is split into four sub-numbers, Al, A2, A3, A4, and Bl, B2, 
B3, and B4. Al represents the 8 most significant bits of the number A, and A4 represents 
the 8 ieast significant bits of the number A, etc. Thus, In the example shown above, the 
sub-numbers are: 

Al=11011001 

A2=10110101 

A3=01101010 

A4=10110111 

Bl=10000111 . 

B2=01111011 

B3=11110101 

B4=01001001 

2. The least significant sub-numbers, A4 and B4 are then added: R4=A4+B4. Any carry 
resulting from the addition of A4 and B4, C4, is stored. 

3. The second least significant sub-numbers, A3 and B3, and the carry from step 2 above, 
C4, are then added: R3=A3+B3+C4. Any carry resulting from this addition, C3, Is stored. 

4. Addition of A2 and B2 in a way analogous to step 3, to achieve R2 and C2. 

5. Addition of Al and Bl in a way analogous to steps 3 and 4 to achieve Rl. Any carry 
resulting from this addition, CI, Is regarded as overflow and is not taken into 
consideration. 

6. The number resulting from the addition of A and B Is stored as four sub-numbers, Rl, R2 
R3 and R4, and/or represented by a 32 bit wide string built from the sub-numbers Rl, 
R2, R3, and R4. 
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In case not all bits in a number resulting from a multiplication operation are to be used In 
further computations, and/or in case not all bits are significant for the further computations 
and may be disregarded, processing time in connection with multiplication operations on a 
processing unit having a register width smaller than the bit width of the numbers to be 
5 multiplied may be reduced by performing only partial multiplication as explained below. For 
example, multiplication of two 16 bit numbers, D and E, wherein 
D = 1101100110110101 and 
E = 0110101010110111 

on an 8 bit processing unit to achieve a 32 bit number, F, may be performed by the following 
10 steps: 

1. Each of the numbers D and E are split into two sub-numbers, Dl, D2, and El, E2. Dl 
represents the 8 most significant bits of D, D2 represents the 8 least significant bits of D, 
etc. Thus, In the example shown above> the sub-numbers are: 

Dl=11011001 
15 D2=10110101 
El=01101010 
E2=10110111 

2. Dl is multiplied with El to achieve a 16 bit number expressed as two 8 bit numbers, Gl 
and G2. 

20 3. Dl is multiplied with E2 to achieve a 16 bit number expressed as two 8 bit numbers, HI 
and H2. 

4. D2 is multiplied with El to achieve a 16 bit number expressed as two 8 bit numbers, II 
and 12. 

5. D2 is multiplied with E2 to achieve a 16 bit number expressed as two 8 bit numbers, Jl 
25 and J2. 

6. The resulting 32 bit number F is expressed as four 8 bit numbers, Fl, F2, F3, and F4, 
wherein: 

F4=J2 

F3=H2+I2+J1 

30 F2=G2+Hl+Il+[any carry resulting from the calculation of F3] 

Fl=Gl+[any carry resulting from the calculation of F2], 

as illustrated In Fig. 19 wherein MS denotes "most significant 8 bit" and LS denotes "least 
significant 8 bit". 

Processing time may be saved by disregarding F4, i.e. the least significant bits of the number 
35 resulting from the multiplication, and by disregarding Jl in the addition which leads to F3. 
Thus, the multiplication of D2 with E2 at step 5 may be omitted, whereby less mathematical 
operations are performed, which leads to saving of processing time. This omission has an 
impact on the computational result which, however, may be acceptable If the omission is 
performed consistently throughout the computations in, e.g. a pseudo-random number 
40 generator, e.g. in an encryption/decryption algorithm, and if it is performed both in 

decryption and encryption. It should usually be ensured that properties of the mathematical 
system, e.g. chaotic behavior, which are of importance in the context in question, e.g. 
encryption/decr/ption, are maintained in spite of the Impact which the omission of one or 
more computational steps has on the computations. 

45 
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There Is further provided a method of performing multiplication operations on a first binary 
number and a second binary number. The method comprises summing a number of 
Intermediate results, whereby the sum of the intermediate results Is equal to the product of 
the two numbers. Each intermediate result Is achieved as the product of one single bit (1 or 
0) of the first number and the entire second number, a, whereby the product and thus the 
Intermediate number may be determined by a simple "If.. .then" algorithm and/or a logical 
AND operation, as the product of 1 • a = a, and as the product of 0 • a = 0. 



10 



15 



20 



25 



30 



Subsequent to computing the Intermediate number, the intermediate number is shifted a 
number of positions to the left, the number of positions corresponding to the position of the 
bit of the first number from which that particular intermediate number is calculated. 
Alternatively, either the second number or the particular bit of the first number is switched to 
the left. Accordingly, the step of multiplying one bit of a first one of the two numbers is 
repeated for each bit of the first number. For example the product of a first number, 0110, 
and a second number 1010 is computed as follows: the least significant bit of the first 
number, 0, is multiplied with the second number 1010 to obtain a first Intermediate number, 
0000. Then, the second least significant bit of the first number, 1, is multiplied with the 
second number and shifted one position to the left to obtain a second intermediate number, 
10100. Then, the third least significant bit of the first number, 1, is multiplied with the 
second number and shifted two positions to the left to obtain a third intermediate number, 
101000. Finally, the most significant bit of the first number, 0, Is multiplied with the second 
number and shifted three positions to the left to obtain a fourth intermediate number, 
0000000. The resulting number is obtained as a sum of the four intermediate numbers, as 
illustrated below, the underlinings indicating which bits are being multiplied in the Individual 
steps: 

(first intermediate number) 
(second intermediate number) 
(third intermediate number) 
(fourth Intermediate number) 



QUO - 1010 
0110 • 1010 
0110 • 1010 
flllO ■ 1010 



0000 
10100 
101000 
0000000 



Result: 



0111100 (sum of intermediate numbers) 



35 



Fig. 28 illustrates a further mathematical system which may be employed in the methods of 
the present invention. A set of five coupled subsystems is provided, wherein the subsystems 
are one-dimensional maps. Three of the maps contain static parameters and two of the maps 
are influenced by a counter. The system configuration is illustrated in Fig. 28. 



40 



The iteration scheme of the system is defined by the following equations: 



X 0,l+1 


- (( x o,i 


+ p 0 )modl)* + 2x 0|1 + kx 4#I 


modi 


x l,l+l 


- K. 


+ c 0#I )modl) 2 +2x 1 ,, + kx 0fl 


modi 


X 2,l+1 


= ((*2,, 


+ Pj ) mod if + 2x 2#l + kx lfl 


modi 


X 3,l+1 


- (( X 3,i 


+ c 1#l )modl) 2 +2x 3fl + kx 2#l 


modi 


X 4,l+1 


- K. 


+ |3 2 )modl) 2 + 2x 4fI + kx 3fl 


modi 
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where x n/i is the state variable of system n at iteration /, p 0 ,Pi and p 2 are static parameters, 
c 0// and c 2// are counters. The coupling is unidirectional with coupling strength k. Values In the 
interval [0;1[ may be assigned to the parameters p 0 ,Pz and p 2 . The counters c^/ and c u , cycle 
through the interval [0;1[ by increments which are a fraction of 1. The increments of c 0 ,/and 
5 c lfi need not be identical. The counters may be Incremented independently of each other. In 
another embodiment, a first one of the counters is only incremented when a second one of 
the counters reaches a certain value. A first one of the counters may be Incremented In each 
iteration, whereas a second one of the counters may be incremented only when the first one 
reaches its maximum. Alternatively, both counters may be Incremented In each Iteration, or 
10 they may be incremented in an alternating way, so that the first counter Is Incremented In 
every second Iteration and the second counter is Incremented in those iterations where the 
first counter is not incremented. 
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CLAIMS 

1. A method for repeatedly performing computations In a mathematical system which 
exhibits a positive Lyapunov exponent, comprising varying at least one parameter of the 
mathematical system after a certain number of computations. 

2. A method according to claim 1, wherein at least one variable of the mathematical system 
is expressed as a fixed-point number. 

3. A method according to claim 2, further comprising the steps of: 

- expressing the mathematical system in discrete terms, 

- performing said computations in such a way that the computations Include the at least 
one variable expressed as a fixed-point number, 

- obtaining, from said computations, a resulting number, the resulting number representing 
at least one of: 

a. at least a part of a solution to the mathematical system, and 

b. a number usable in further computations involved In the numerical solution of the 
mathematical system. 

4. A method according to any of the preceding claims, wherein the mathematical system 
comprises at least one non-linear map. 

5. A method according to any of the preceding claims, wherein said at least one parameter is 
repeatedly varied at predetermined intervals in said computations. 

6. A method according to any of the preceding claims, wherein said computations Involve 
performing iterations in the mathematical system. 

7. A method according to any of the preceding claims, wherein said at least one parameter is 
represented by a counter which varies independently of the mathematical system. 

■ • 

8. A method according to claim 7, wherein the counter is increased at each iteration in the 
mathematical system. 

9. A method according to claim 7 or 8, wherein a maximum value Is defined for the counter, 
the method comprising resetting the counter to a minimum vaiue once the counter has 
reached said maximum value, whereby the counter varies with a certain period. 

10. A method according to any of claims 7-9, wherein a set of counters Is employed, the set 
comprising multiple counters. 

11. A method according to claim 10, wherein the variation of a first one of said counters is 
dependent from the variation of a second one of said counters in such a way that the period 
of the first counter Is different from the period of the second counter. 
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12. A method according to claim 10 or 11, wherein the variation of each individual one of 
said counters Is dependent from the variation of at least another one of said counters sq as 
to obtain a period of the counters which Is longer than the period which would have existed if 
each individual counter would not have been dependent from the variation of another 

5 counter. 

13. A method according to any of the preceding claims, wherein the one or more counters 
is/are increased linearly. 

10 14. A method for generating pseudo-random numbers comprising performing mathematical 
operations by a method according to any of claims 1-13. 

15. A method for generating an Identification value comprising performing mathematical 
operations by a method according to any of claims 1-13. 

15 

16. A method for encrypting and/or decrypting data comprising performing mathematical 
operations by a method according to any of claims 1-13. 

17. A method according to claim 15, wherein encrypting and/or decrypting comprises 
20 generating pseudo-random numbers by a method according to claim 14. 

18. A method for manipulating a first set of data in a cryptographic system, the first set of 
data comprising a first and a second number of a first and a second bit size A and B, 
respectively, the method comprising: 

25 - multiplying the first and the second number to obtain a third number of a third bit size 
A+B, the third number consisting of P most significant and Q least significant bits, 
wherein A+B=P+Q, and wherein Q is equal to the largest of the first bit size A and the 
second bit size.B, Q=max(A,B), 

- manipulating the third number to obtain a fourth number which is a function of at least 
30 one of the P most significant bits of the third number, 

- using the fourth number for deriving an output of the cryptographic system. 

19. A method according to claim 18, wherein the first number is equal to the second number. 

35 20. A method according to claim 18 or 19, wherein at least one of the first and second 

number represents at least one state variable of a mathematical system, and wherein the 
state variable Is updated as a function of the fourth number. 

21. A method according to claim 20, wherein the state variable is updated as a function of a 
40 permutation of the fourth number. 

22. A method according to claim 21, wherein the permutation comprises a bitwise rotation of 
the bits of the fourth number. 

45 23. A method according to any of claims 18-22, wherein: 
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the step of multiplying Is performed multiple times, each multiplication being 
performed on a number which represents or Is a function of one of a plurality of state 
variables, the step of multiplying thereby resulting In a plurality of third numbers, and 
wherein 

5 - the step of manipulating results In an array comprising a plurality of fourth numbers, 

and wherein 

at least one state variable is updated as a function of at least two of the fourth 
numbers. 

10 24. A method according to any of claims 18-23, wherein at least one of the first and second 
number is a state value Xj to which there Is added a variable parameter value. 

25. A method according to claim 24, wherein the parameter value Is a counter Q. 

15 26. A method according to claim 25, wherein the step of multiplying comprises squaring 
(Xi+Q), wherein Xj denotes a state variable or an array of state variables, and wherein Q 

denotes the counter or an array of counters. . 

< 

27. A method according to any of claims 24-26, wherein said at least one parameter Is 

» 

20 repeatedly varied at predetermined intervals in said computations. 

28. A method acccording to any of claims 18-27, wherein a counter Q is added to the fourth 
number or to a number which Is a function of the fourth number to result In an updated state 
variable X I+1 . 

25 

29. A method according to any of claims 18-28, wherein the step of multiplying comprises 
calculating x k , x denoting the first number, k denoting an exponent. 

30. A method according to claim 29, wherein k is an integer number. 

30 

31. A method according to any of claims 18-30, wherein the step of manipulating comprises 
at least one logical operation which Is performed on a bit of the most significant bits and a bit 
of the least significant bits of the third number. 

35 32. A method according to claim 31, wherein the logical operation comprises at least one 
XOR operation. 

33. A method according to claim 32, wherein P=Q, and wherein the at least one XOR 
operation comprises P XOR operations to result In a result of bit size P, each XOR operation 

40 being performed on one bit of the most significant bits of the third number and one bit of the 
least significant bits of the third number. 

34. A method according to any of claims 18-33, wherein the step of manipulating comprises 
at least one arithmetic operation which Is performed on at least one bit of the most 

45 significant bits and at least one bit of the least significant bits. 
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, 35. A method according to any of claims 18-34, wherein the step of multiplying comprises a 
plurality of multiplication functions resulting in a plurality of numbers of bit size A+B f and 
wherein the step of manipulating comprises combining at least one of the bits of a first one of 
the plurality of numbers with at least one of the bits of a second one of the plurality of 
5 numbers. 

36. A method according to claim 35, wherein the plurality of multiplication functions 
comprises at least one squaring operation, and wherein the step of manipulating comprises 
combining at least one of the P most significant bits of a first one of the plurality of numbers 

10 with at least one of the Q least significant bits of a second one of the plurality of numbers. 

37. A method according to any of claims 18-36, wherein the step of multiplying Is performed 
in a mathematical system in which at least one state variable is being iterated. 

15 38. A method according to any of claims 18-37, wherein the step of multiplying is performed 
In an iterative system of at least two state variables. 

39. A method according to claim 38, wherein, in each computational sequence, values 
assigned to each of the at least two state variables Is updated as a function of at least one 

20 value of the same and/or another state variable. 

40. A method according to any of claims 18-39, wherein the fourth number Is used for 
generating or updating a pseudo-random number as the output of the cryptographic system. 

25 41. A method according to any of claims 18-40, wherein at least one of the first and second 
number is derived from a second set of data to be encrypted or decrypted, and wherein the 
fourth number is used to generate an encrypted or decrypted representation of the second 
set of data. 

30 42. A method according to any of claims 18-41, wherein at least one of the first and second 
number is derived from a second set of data, and wherein the fourth number is used for 
generating an identification value identifying the second set of data. 

43. A method according to any of claims 18-42, wherein at least one of the first and second 
35 number is derived from a cryptographic key. 

44. A method for manipulating a first set of data in a cryptographic system, the first set of 
data comprising a first and a second number, the method comprising: 

- dividing the first number by the second number to obtain a quotient and a remainder, 
40 - combining, by means of a mathematical operation, the quotient and the remainder to 

obtain a resulting number, 

- using the resulting number for deriving an output of the cryptographic system. 

45. A method for generating a periodic sequence of numbers in a cryptographic system in 
45 which computational steps are repeatedly performed, the method comprising updating, In 

each computational step i, an array of counters, the counters being updated by a logical 
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and/or by an arithmetic function, whereby, at each computational step, a carry value is 
added to each counter In the array, wherein the carry added to the first counter in the array, 
Cq, Is obtained from at least one of: 

a selected computation of a value of the array of counters, 
5 a value which Is a function of a counter value at a previous computational step. 

46. A method for generating a periodic sequence of numbers in a cryptographic system in 
which computational steps are repeatedly performed, the method comprising updating, in 
each computational step I, an array C, of counters q,,, the counters being updated as: 

10 c 0| i+i=c 0j ,+a 0 +d| mod N 0 , 

Cj,i+i=q,i+ aj+bj.^+i mod Nj for j>0, 
where: 

q,, +1 is a value assigned to position j of array C at step 1+1, j=0...n-l, n denoting a 
dimension of the array C, 
15 q rl Is a value assigned to position j of array C at step I, j=0...n-l, 

aj is a value assigned to position j of an array A, j=0...n-l, 
for j>0: bj-i,i + i Is a carry value resulting from the computation of q.^+i, 
Nj Is a constant, j=0...n-l, 
for i=0: d,=d 0 Is an initial value, 
20 for i>0 d; is a carry value obtained from a selected computation of a vaiue of the array of 

counters Q and/or a function of Q. 

47. A method according to claim 46, wherein each value a } is a constant. 

25 48. A method according to claim 46 or 47, wherein n=l, so that: 

the array C contains a single value Co,i, 
the array A contains a single value a 0 . 

49. A method according to any of claims 46-48, wherein, for i>0, d s is a carry value resulting 
30 from the computation of q. 1#r . 



50. A method according to any of claims 46-48, wherein d, is a carry value resulting from the 
computation of q.i,i+i. 

35 51. A method according to any of claims 46-50, wherein the computational steps which are 
performed In the cryptographic system comprise an iterative procedure in which an array of 
state variables, X, Is repeatedly iterated so that at least one vaiue assigned to a position in 
the array of state variable X at computational step 1+1 is a function of: 

- at least one value assigned to a position in the array of state variables X at computational 
40 step i, and 

- at least one value assigned to a position of the array of counters C at computational step 
I. 

52. A method according to claim 51, wherein the array of state variables X contains a single 
45 variable. 
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53. A method according to claim 51 or 52, wherein the array of state variables X at 
computational step 1+1 is a function of Xf+C,, X, + i=f(X,+Q): 

54. A method according to any of claims 46-53, wherein the product of N 0 -N 1 -...-N Ivl - 1 and 
5 a concatenated value of A are mutually prime. 

55. A method for generating an output of a cryptographic system in which computational 
steps are performed as an iterative procedure wherein an array of state variables, X, Is 
repeatedly iterated so that at least one value assigned to a position in the array of state 

10 variables X at iteration step 1+1 is a function of: 

- at least one value assigned to a position in the array of state variables X at iteration i, 
and 

- at least one value assigned to a position of an array of counters C at iteration I, 
the array of counters being updated In each iteration as: 

15 Co,u.i=Co,i+a 0 +d| mod N 0 , 

q,i+i=q,i+aj+bj-i.i+i mod N, for j>0, 
where: # 

q, i+ i is a value assigned to position j of array C at step i+1, j=0...n-l, n denoting a 
dimension of the array C, 
20 c,^ is a value assigned to position j of array C at step I, j=0...n-l, 

aj is a value assigned to position j of an array A, j=0...n-l, 

for j>0: bj. lf i +1 Is a carry value resulting from the computation of 

Nj is a constant, j=0...n-l, 

for i=0: d t =d 0 is an initial value, 
25 for i>0 dj is a carry value obtained from a selected computation of a value of the array of 

counters C, and/or a function of C,, 
each iteration comprising: 

- multiplying a first number of a first bit size A and a second number of a second bit size B 
to obtain a third number of a third bit size A+B, at least one of the first and second 

30 number being equal to or a function of at least one value assigned to a position of the 

array of state variables X at iteration I, the third number consisting of P most significant 
and Q least significant bits, wherein A+B=P+Q, and wherein Q is equal to the largest of 
the first bit size A and the second bit size B, Q=max(A,B), 

- manipulating the third number to obtain a fourth number which Is a function of at least 
35 one of the P most significant bits of the third number, 

- using the fourth number for deriving the output of the cryptographic system and/or for 
assigning new values to positions of the array of state variables X. 

56. A method of determining an Identification value for identifying a set of data and for 

40 concurrently encrypting and/or decrypting the set of data, the method comprising performing 
numerical computations in a mathematical system exhibiting a positive Lyapunov exponent. 

57. A method according to claim 56, further comprising the steps of: 

- expressing the mathematical system in discrete terms, 

45 - expressing at least one variable of the mathematical system as a fixed-point number, 



SUBSTITUTE SHEET 



WO 03/104969 PCT/DK03/00375 

79 

- performing said computations in such a way that the computations include the at least 
one variable expressed as a fixed-point number, 

- obtaining, from said computations, a resulting number, the resulting number representing 
at least one of: 

a. at least a part of a solution to the mathematical system, and 

b. a number usable in further computations involved in the numerical solution of the 
mathematical system. 

58. A method according to claim 56 or 57, the method further comprising repeatedly 
performing mathematical computations as iterations In the mathematical system, whereby 
various parts of the set of data or modifications thereof may be used as input to the 
computations. 

59. A method according to any of claims 56-58, the method further comprising: 

- repeatedly performing mathematical computations as iterations in the mathematical 
system, whereby various parts of the set of data or modifications thereof may be used as 
Input to the computations, following each computation or a certain number of 
computations: 

- extracting a resulting number from the computations, the resulting number 
representing at least one of: 

a. at least a part of a solution to the mathematical system, and 

b. a number usable in further computations involved in the numerical solution of the 
mathematical system, 

- determining an updated value for the identification value based on the resulting 
number, whereby various parts of the set of data or modifications thereof may be 
used as input in the step of determining, 

- encrypting and/or decrypting a certain portion of the set of data based on the 
resulting number, 

whereby as many iterations are performed as required for encrypting and/or decrypting the 
entire set of data. 

60. A method according to any of claims 56-59, further comprising: 

- expressing the mathematical system in discrete terms, 

- expressing at least one variable of the mathematical system as a fixed-point number, 

- performing said computations in such a way that the computations include the at least 
one variable expressed as a fixed-point number. 

61. A method according to any of claims 56-60, wherein the identification value Is further 
modified following encryption and/or decryption of the entire set of data. 
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Claim : 15 and 17 






Claims .15 and 17 directed to variation of a parameter of a 
mathematical system exhibiting a positive Lyapunov exponent, 
used for the purpose of generating an identification value. 


3. 
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Claim : 16 
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Claim 16 directed to variation of a parameter of a 
mathematical system exhibiting a positive Lyapunov exponent, 
used for the purpose of encryption/decryption. 
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Claims 18-43 directed to the manipulation of at least one of 
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identification value generation and the improvement of 
encryption velocity in a mathematical system exhibiting a 
positive Lyapunov exponent, 

■ 

A partial search has been carried out, which relates to the invention 
I mentioned above according to Article 17{3)(a), PCT (the first 
invention mentioned"). 

The applicant is invited to pay additional fees for six (6) of the 
inventions I I -VI I as listed above. 

The present application has been considered to contain seven (7) 
inventions, which are not linked such that they form a single general 
inventive concept, as required by Rule 13 PCT for the following 
reasons: * 

Claim 14 relates to the problem of generating a pseudo- random number. 
This problem appears to be solved by repeatingly perform computations 
in a mathematical system which exhibits a positive Lyapunov exponent. 

Claims 15 and 17 relates to the problem of generating an identification 
value. This problem appears to be solved by repeatingly perform 
computations in a mathematical system which exhibits a positive Lyapunov 
exponent. 

Claim 16 relates to the problem of encrypting or decrypting data or 
generates a pseudo-random number. This problem appears to be solved 
by repeatingly perform computations in a mathematical system which 
exhibits a positive Lyapunov exponent. 

■ 

Claims 18-43 relates to the problem of manipulating a set of data, 
comprising two numbers, by means of multiplication, thus receiving 
a third number, which is manipulated in order to extract a fourth 
number, which is used for deriving the output of a cryptographic 
system. This problem is solved by multiplying the first and the second 
number to obtain a third number of a third bit size, consisting of P 
most significant and Q least significant bits. 

Claim 44 relates to the problem of manipulating a set of data, 
omprising two numbers, by means of division in order to derive an 
output for a cryptographic system. This problem appears to be solved 
by dividing the first number with a second number to obtain a quotient 
and a remainder and combining these numbers by means of mathematical 
operations to obtain a resulting number. 

Claims 45-55 relate to the problem of updating counter values by means 
of carry value. This problem appears to be solved by obtaining the 
carry added to the first counter in the array from either a selected 
computation of a value of the array of counters, or a value, which is 
a function of a counter value at a previous computational step. 

Claims 56-61 relate to the problem of concurrent encryption arid 
identification value generation and the improvement of encryption 
velocity in a mathematical system exhibiting a positive Lyapunov 
exponent. This problem appears to be solved by performing computations 
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in a mathematical system, which exhibits a positive Lyapunov exponent 

As both problems and solutions are technically different, no single 
general concept can be formulated based on the technical features of 
the inventions. Consequently, the requirements of Rule 13.1 PCT are 
not met.' 

It was investigated under Rule 13.2 if any further features, either 
in the claims or derivable from the description, could be considered 
as a same or corresponding feature and which could be considered a 
special technical feature establishing a technical link between the 
seven (I -VII) groups of inventions. 

No such features were identified. 

■ 

+ 

Consequently, the seven groups of inventions are not so linked as to 
form a single general inventive concept as required by Rule 13.1 PCT. 
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The claims 1-13 relate to subject matter for which no search is 
required according to Rule 39 PCT. Given that the claims are formulated 
in terms of such subject matter or merely specify conrnonplace features 
relating to its technological implementation, the search examiner could 
not establish any technical problem which might potentially have 
required an inventive step to overcome. Hence it was not possible to 
carry out a meaningful search into the state of the art (Art. 17(2) 
(a)(i) and (ii) PCT; see Guidelines Part B Chapter VIII, 1 6). 

The applicant's attention is drawn to the fact that claims relating 
to inventions in respect of which no international search report has 
been established need not be subject of an international preliminary 
examination (Rule 66.1 (e) PCT). The applicant is advised that the EPO 
policy when acting as an International Preliminary Examining Authority 
is normally not to carry out a preliminary examination on matter which 
has not been searched. This is the case irrespective of whether or not 
the claims are amended following the receipt of the search report or 
during any Chapter II procedure. If the application proceeds into the 
regional phase before the EPO, the applicant is reminded that a search 
may be carried out during examination of the EPO (see EPO Guideline 
C-VI, 8.5), should the problems which led to the Article 17(2) 
declaration be overcome. 
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